From cc5d24f0462efed32d20765246bad52e369e4193 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Sat, 6 Aug 2016 16:01:21 -0400
Subject: [PATCH 01/43] Add links to branches in CONTRIBUTING

---
 CONTRIBUTING.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 18a884b..84b49ae 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,18 +2,18 @@
 
 This project uses a Gitflow-like organization for code:
 
-* The `master` branch represents a stable version of the project at any given time.
-* Releases are tags on the `master` branch.
-* All features and bug fixes are performed against the `develop` branch.
-* New features are allocated their own branch based on the `develop` branch, and pull requests are made from the new feature branch to the `develop` branch.
+* The [`master`](https://github.com/kristovatlas/osx-config-check/tree/master) branch represents a stable version of the project at any given time.
+* Releases are tags on the [`master`](https://github.com/kristovatlas/osx-config-check/tree/master) branch.
+* All features and bug fixes are performed against the [`develop`](https://github.com/kristovatlas/osx-config-check/tree/develop) branch.
+* New features are allocated their own branch based on the [`develop`](https://github.com/kristovatlas/osx-config-check/tree/develop) branch, and pull requests are made from the new feature branch to the [`develop`](https://github.com/kristovatlas/osx-config-check/tree/develop) branch.
 
 Developers who wish to submit a pull request should perform the following protocol:
 
 1. Fork the project on GitHub
-2. Create a special-purpose branch from the `develop` branch, e.g. 'fix-filevault' or 'disable-apple-mail'
+2. Create a special-purpose branch from the [`develop`](https://github.com/kristovatlas/osx-config-check/tree/develop) branch, e.g. 'fix-filevault' or 'disable-apple-mail'
 3. Implement the changes in the branch
 4. Follow the guidelines in the sections below depending on whether you are modifying configuration checks, Python code, or any combination therefore
-5. Make a pull request from your feature branch to the `develop` branch. 
+5. Make a pull request from your feature branch to the [`develop`](https://github.com/kristovatlas/osx-config-check/tree/develop) branch.
 
 ## Modifying default configuration checks
 

From 256b2cd33662dfb37fe20a04ce274b21dc22adab Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Sun, 7 Aug 2016 01:05:06 -0400
Subject: [PATCH 02/43] added additional commands to fix destroyfvkeyonstandby

* added relatively short bash script for checking status
* added more compound fix commands

This configuration set has been stable on other OS X system so far
---
 osx-config.hjson                       | 12 +++++++-----
 osx-config.json                        |  2 +-
 scripts/DestroyFVKeyOnStandby_check.sh | 20 ++++++++++++++++++++
 3 files changed, 28 insertions(+), 6 deletions(-)
 create mode 100644 scripts/DestroyFVKeyOnStandby_check.sh

diff --git a/osx-config.hjson b/osx-config.hjson
index ae6e596..aaf5fec 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -601,16 +601,18 @@
     },
     {
         description: "The File Vault key is destroyed when going to standby mode."
+        //Once this set of configurations is proven stable, this can be upgraded from "experimental" to "recommended". We may want to warn the user first that waking will be slower and require authenticating twice.
         confidence: "experimental"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "regex match"
-        command: "pmset -g"
-        expected_regex: ".*destroyfvkeyonstandby\\s+1.*"
+        type: "exact match"
+        command: "bash ./scripts/DestroyFVKeyOnStandby_check.sh"
+        expected_stdout: "1"
         case_sensitive: "false"
         fix:
         {
-            command: "pmset -a destroyfvkeyonstandby 1"
-            sudo_command: "sudo pmset -a destroyfvkeyonstandby 1"
+            //Additional configurations are required to make this setting not fight with powernap/standby/autopoweroff. See: https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/124
+            command: "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0"
+            sudo_command: "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"
         }
     },
     {
diff --git a/osx-config.json b/osx-config.json
index 4ed825b..179a511 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "type": "exact match", "command": "id -Gn | grep -c -w admin", "expected_stdout": "0", "case_sensitive": "false", "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "sudo_command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "openssl version", "expected_stdout": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false", "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; exit 0 && exit", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "type": "exact match", "command": "softwareupdate --schedule | grep 'Automatic check is on'", "sudo_command": "sudo softwareupdate --schedule | grep 'Automatic check is on'", "expected_stdout": "Automatic check is on", "case_sensitive": "false", "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "type": "exact match", "command": "spctl --status | grep 'assessments enabled'", "expected_stdout": "assessments enabled", "case_sensitive": "false", "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "sudo_command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "type": "exact match", "command": "systemsetup -getremotelogin", "sudo_command": "sudo systemsetup -getremotelogin", "expected_stdout": "Remote Login: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "systemsetup -getremoteappleevents", "sudo_command": "sudo systemsetup -getremoteappleevents", "expected_stdout": "Remote Apple Events: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "sudo_command": "sudo systemsetup getwakeonnetworkaccess", "expected_stdout": "Wake On Network Access: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "type": "exact match", "command": "systemsetup getusingnetworktime", "sudo_command": "sudo systemsetup getusingnetworktime", "expected_stdout": "Network Time: Off", "case_sensitive": "false", "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "pmset -g", "expected_regex": ".*destroyfvkeyonstandby\\s+1.*", "case_sensitive": "false", "fix": {"command": "pmset -a destroyfvkeyonstandby 1", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "pmset -g", "expected_regex": ".*hibernatemode\\s+25.*", "case_sensitive": "false", "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "type": "regex match", "command": "git --version", "expected_regex": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false", "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "launchctl list", "sudo_command": "sudo launchctl list", "expected_regex": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false", "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "expected_regex": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false", "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "type": "regex match", "command": "curl --version", "expected_regex": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false", "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "fdesetup status -verbose", "expected_regex": "^.*FileVault is On.*$", "case_sensitive": "false", "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "fdesetup status -verbose", "expected_regex": "^.*device path \\=\\s+.*$", "case_sensitive": "false", "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "expected_regex": "^(0\n*)+$", "case_sensitive": "false", "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "expected_stdout": "PlugInPolicyBlock", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "expected_stdout": "PlugInPolicyBlock", "case_sensitive": "false", "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled ; fi", "expected_regex": "^(True\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; exit; fi; if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "expected_regex": ".*False$", "case_sensitive": "false", "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track ; fi", "expected_regex": "^(True\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"The attribute 'profile.default_content_setting_values.popups' does not exist\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups ; fi", "expected_regex": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Shockwave Flash'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Adobe Flash Player'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Native Client'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Widevine Content Decryption Module'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "type": "exact match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "type": "exact match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "type": "exact match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "expected_stdout": "Google Chrome", "case_sensitive": "false", "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "type": "exact match", "command": "id -Gn | grep -c -w admin", "expected_stdout": "0", "case_sensitive": "false", "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "sudo_command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "openssl version", "expected_stdout": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false", "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; exit 0 && exit", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "type": "exact match", "command": "softwareupdate --schedule | grep 'Automatic check is on'", "sudo_command": "sudo softwareupdate --schedule | grep 'Automatic check is on'", "expected_stdout": "Automatic check is on", "case_sensitive": "false", "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "type": "exact match", "command": "spctl --status | grep 'assessments enabled'", "expected_stdout": "assessments enabled", "case_sensitive": "false", "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "sudo_command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "type": "exact match", "command": "systemsetup -getremotelogin", "sudo_command": "sudo systemsetup -getremotelogin", "expected_stdout": "Remote Login: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "systemsetup -getremoteappleevents", "sudo_command": "sudo systemsetup -getremoteappleevents", "expected_stdout": "Remote Apple Events: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "sudo_command": "sudo systemsetup getwakeonnetworkaccess", "expected_stdout": "Wake On Network Access: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "type": "exact match", "command": "systemsetup getusingnetworktime", "sudo_command": "sudo systemsetup getusingnetworktime", "expected_stdout": "Network Time: Off", "case_sensitive": "false", "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "pmset -g", "expected_regex": ".*hibernatemode\\s+25.*", "case_sensitive": "false", "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "type": "regex match", "command": "git --version", "expected_regex": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false", "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "launchctl list", "sudo_command": "sudo launchctl list", "expected_regex": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false", "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "expected_regex": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false", "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "type": "regex match", "command": "curl --version", "expected_regex": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false", "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "fdesetup status -verbose", "expected_regex": "^.*FileVault is On.*$", "case_sensitive": "false", "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "fdesetup status -verbose", "expected_regex": "^.*device path \\=\\s+.*$", "case_sensitive": "false", "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "expected_regex": "^(0\n*)+$", "case_sensitive": "false", "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "expected_stdout": "PlugInPolicyBlock", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "expected_stdout": "PlugInPolicyBlock", "case_sensitive": "false", "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled ; fi", "expected_regex": "^(True\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; exit; fi; if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "expected_regex": ".*False$", "case_sensitive": "false", "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track ; fi", "expected_regex": "^(True\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"The attribute 'profile.default_content_setting_values.popups' does not exist\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups ; fi", "expected_regex": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Shockwave Flash'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Adobe Flash Player'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Native Client'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Widevine Content Decryption Module'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "type": "exact match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "type": "exact match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "type": "exact match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "expected_stdout": "Google Chrome", "case_sensitive": "false", "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
diff --git a/scripts/DestroyFVKeyOnStandby_check.sh b/scripts/DestroyFVKeyOnStandby_check.sh
new file mode 100644
index 0000000..e69d9a5
--- /dev/null
+++ b/scripts/DestroyFVKeyOnStandby_check.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# Description: Checks various configuration settings related to the
+#   "DestroyFVKeyOnStandby" setting.
+# See: https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/124
+#
+# Usage: DestroyFVKeyOnStandby_check.sh
+
+
+VALUE1=$(pmset -g | grep -i "DestroyFVKeyOnStandby" | cut -f 3)
+VALUE2=$(pmset -g | grep "hibernatemode" | cut -d " " -f 10)
+VALUE3=$(pmset -g | grep "powernap" | cut -d " " -f 15)
+VALUE4=$(pmset -g | grep "standby " | cut -d " " -f 16)
+VALUE5=$(pmset -g | grep "standbydelay" | cut -d " " -f 11)
+VALUE6=$(pmset -g | grep "autopoweroff " | cut -d " " -f 11)
+
+if [ "$VALUE1" = "1" ] && [ "$VALUE2" = "25" ] && [ "$VALUE3" = "0" ] && [ "$VALUE4" = "0" ] && [ "$VALUE5" = "0" ] && [ "$VALUE6" = "0" ] ; then
+    echo "1"
+else
+    echo "0"
+fi

From 659a716b75646738c75243fdac4a6059a7bbc6ed Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Sun, 7 Aug 2016 19:56:52 -0400
Subject: [PATCH 03/43] add api.sh script and prepend source it for all check
 commands

---
 app.py           |  3 +++
 osx-config.hjson | 15 +++++++++++++++
 scripts/api.sh   | 25 +++++++++++++++++++++++++
 3 files changed, 43 insertions(+)
 create mode 100644 scripts/api.sh

diff --git a/app.py b/app.py
index 9bea7ca..c22a034 100644
--- a/app.py
+++ b/app.py
@@ -22,6 +22,8 @@
 const.FIX_RECOMMENDED_BY_DEFAULT = True #TODO: command line flag
 const.FIX_EXPERIMENTAL_BY_DEFAULT = False #TODO: command line flag
 
+const.API_FILENAME = './scripts/api.sh'
+
 const.COLORS = {
     'HEADER': '\033[95m',
     'OKBLUE': '\033[94m',
@@ -296,6 +298,7 @@ def _execute_check(command, comparison_type, expected, case_sensitive):
        bool: Whether the output matched the expected output of the command.
     """
     #http://stackoverflow.com/questions/7129107/python-how-to-suppress-the-output-of-os-system
+    command = "source %s ; %s" % (const.API_FILENAME, command)
     process = Popen(command, stdout=PIPE, stderr=STDOUT, shell=True)
     stdout, _ = process.communicate()
 
diff --git a/osx-config.hjson b/osx-config.hjson
index aaf5fec..691eeb8 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -1674,4 +1674,19 @@
         }
     }
     */
+    /* useful for debugging api.sh
+    {
+        description: "DEBUG for api.sh"
+        confidence: "required"
+        type: "exact match"
+        command:
+            echo $(homebrew_is_installed)
+        expected_stdout: "1"
+        case_sensitive: "false"
+        fix:
+        {
+            manual: "blah"
+        }
+    }
+    */
 ]
diff --git a/scripts/api.sh b/scripts/api.sh
new file mode 100644
index 0000000..c94a2bc
--- /dev/null
+++ b/scripts/api.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# Description: Contains functions that serve as an API for osx-config-check and
+# which maximize code reuse of bash script.
+# All functions added to this file should be simple and easy to review for
+# security.
+
+# Other bash scripts can use these functions by sourcing this file and invoking
+# the functions as if they were commands. Example:
+# source ./scripts/api.sh ; if [ $(homebrew_is_installed) = "1" ] ; then echo "pass" ; else echo "fail" ; fi
+# OR
+# source ./scripts/api.sh ; echo $(homebrew_is_installed)
+
+function homebrew_is_installed {
+    TEST=$(which brew)
+    if [ -n "$TEST" ] ; then
+        TEST=$(brew --version | grep Homebrew)
+        if [ -n "$TEST" ] ;  then
+            echo 1
+        else
+            echo 0
+        fi
+    else
+        echo 0
+    fi
+}

From 97a671f43f6fc946cd2ff9e49b84a5ba66c8e7ee Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Sun, 7 Aug 2016 23:32:01 -0400
Subject: [PATCH 04/43] Use chrome_is_installed api function detect whether
 chrome is installed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

QA: Verified that the commands work (generally speaking) correctly when
Chrome isn’t installed (caveat:
https://github.com/kristovatlas/osx-config-check/issues/108) and that
they work correctly when it is installed.
---
 osx-config.hjson | 51 ++++++++++++++++++++++++------------------------
 osx-config.json  |  2 +-
 scripts/api.sh   | 10 ++++++++++
 3 files changed, 37 insertions(+), 26 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 691eeb8..25a9572 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -1234,7 +1234,8 @@
         description: "The Google Chrome browser is currently closed."
         confidence: "required"
         type: "exact match"
-        command: "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'"
+        command:
+            if [ $(chrome_is_installed) = "0" ] ; then echo "2" ; else ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' ; fi
         expected_stdout: "2" //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
         case_sensitive: "false"
         fix:
@@ -1249,7 +1250,7 @@
         confidence: "recommended"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled ; fi
         expected_regex: "^(False\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1264,7 +1265,7 @@
         confidence: "required"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled ; fi
         expected_regex: "^(False\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1279,7 +1280,7 @@
         confidence: "required"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "2"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "2"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options ; fi
         expected_regex: "^(2\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1294,7 +1295,7 @@
         confidence: "recommended"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled ; fi
         expected_regex: "^(False\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1311,7 +1312,7 @@
         reference: "https://en.wikipedia.org/wiki/Google_Safe_Browsing"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "True"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "True"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled ; fi
         expected_regex: "^(True\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1326,7 +1327,7 @@
         confidence: "recommended"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service ; fi
         expected_regex: "^(False\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1341,7 +1342,7 @@
         confidence: "required"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "False"; exit; fi; if [ -e "$(ls ~/Library/Application\ Support/Google/Chrome/Consent\ To\ Send\ Stats)" ]; then echo "True"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\ Support/Google/Chrome/Local\ State user_experience_metrics.reporting_enabled)
+            if [ $(chrome_is_installed) = "0" ]; then echo "False"; exit; fi; if [ -e "$(ls ~/Library/Application\ Support/Google/Chrome/Consent\ To\ Send\ Stats)" ]; then echo "True"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\ Support/Google/Chrome/Local\ State user_experience_metrics.reporting_enabled)
         expected_regex: ".*False$"
         case_sensitive: "false"
         fix:
@@ -1357,7 +1358,7 @@
         type: "regex match"
         //This check should short-circuit and match the regex if Chrome is not installed
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "True"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "True"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track ; fi
         expected_regex: "^(True\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1372,7 +1373,7 @@
         confidence: "required"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "The attribute 'profile.default_content_setting_values.popups' does not exist"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "The attribute 'profile.default_content_setting_values.popups' does not exist"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups ; fi
         expected_regex:
             ^(The attribute 'profile.default_content_setting_values.popups' does not exist\n?)|(None\n?)+$
         case_sensitive: "false"
@@ -1388,7 +1389,7 @@
         confidence: "recommended"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "2"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "2"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation ; fi
         expected_regex: "^(2\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1405,7 +1406,7 @@
         reference: "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "2"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "2"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker ; fi
         expected_regex: "^(2\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1420,7 +1421,7 @@
         confidence: "required"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled ; fi
         expected_regex: "^(False\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1436,7 +1437,7 @@
         confidence: "recommended"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled ; fi
         expected_regex: "^(False\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1451,7 +1452,7 @@
         confidence: "required"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin ; fi
         expected_regex: "^(False\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1466,7 +1467,7 @@
         confidence: "required"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled ; fi
         expected_regex: "^(False\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1483,7 +1484,7 @@
         reference: "https://en.wikipedia.org/wiki/Local_shared_object"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled ; fi
         expected_regex: "^(False\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1499,7 +1500,7 @@
         reference: "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled ; fi
         expected_regex: "^(False\n?)+$"
         case_sensitive: "false"
         fix:
@@ -1514,7 +1515,7 @@
         confidence: "required"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "'enabled': False, 'name': 'Shockwave Flash'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "'enabled': False, 'name': 'Shockwave Flash'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
         expected_regex:
             ^(\[[^\[]+'enabled': False, 'name': 'Shockwave Flash'[^\]]+\]\n?)+$
         case_sensitive: "false"
@@ -1531,7 +1532,7 @@
         confidence: "required"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "'enabled': False, 'name': 'Adobe Flash Player'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "'enabled': False, 'name': 'Adobe Flash Player'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
         expected_regex:
             ^(\[[^\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\]]+\]\n?)+$
         case_sensitive: "false"
@@ -1549,7 +1550,7 @@
         reference: "https://developer.chrome.com/native-client"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "'enabled': False, 'name': 'Native Client'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "'enabled': False, 'name': 'Native Client'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
         expected_regex:
             ^(\[[^\[]+'enabled': False, 'name': 'Native Client'[^\]]+\]\n?)+$
         case_sensitive: "false"
@@ -1566,7 +1567,7 @@
         confidence: "recommended"
         type: "regex match"
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "'enabled': False, 'name': 'Widevine Content Decryption Module'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
+            if [ $(chrome_is_installed) = "0" ]; then echo "'enabled': False, 'name': 'Widevine Content Decryption Module'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
         expected_regex:
             ^(\[[^\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\]]+\]\n?)+$
         case_sensitive: "false"
@@ -1584,7 +1585,7 @@
         type: "exact match"
         //This style of bash command basically prints "False" and exits any time it detects a problem in any Chrome profile, since we're looking for 100% compliance. We'll create an exception for the default System and Guest profiles, since these are not configurable through the GUI.
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "True" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
+            if [ $(chrome_is_installed) = "0" ]; then echo "True" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
         expected_stdout: "True"
         case_sensitive: "false"
         fix:
@@ -1604,7 +1605,7 @@
         type: "exact match"
         //This style of bash command basically prints "False" and exits any time it detects a problem in any Chrome profile, since we're looking for 100% compliance. We'll create an exception for the default System and Guest profiles, since these are not configurable through the GUI.
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "True" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
+            if [ $(chrome_is_installed) = "0" ]; then echo "True" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
         expected_stdout: "True"
         case_sensitive: "false"
         fix:
@@ -1624,7 +1625,7 @@
         type: "exact match"
         //This style of bash command basically prints "False" and exits any time it detects a problem in any Chrome profile, since we're looking for 100% compliance. We'll create an exception for the default System and Guest profiles, since these are not configurable through the GUI.
         command:
-            if [ ! -e "/Applications/Google Chrome.app" ]; then echo "True" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
+            if [ $(chrome_is_installed) = "0" ]; then echo "True" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
         expected_stdout: "True"
         case_sensitive: "false"
         fix:
diff --git a/osx-config.json b/osx-config.json
index 179a511..4f646ae 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "type": "exact match", "command": "id -Gn | grep -c -w admin", "expected_stdout": "0", "case_sensitive": "false", "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "sudo_command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "openssl version", "expected_stdout": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false", "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; exit 0 && exit", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "type": "exact match", "command": "softwareupdate --schedule | grep 'Automatic check is on'", "sudo_command": "sudo softwareupdate --schedule | grep 'Automatic check is on'", "expected_stdout": "Automatic check is on", "case_sensitive": "false", "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "type": "exact match", "command": "spctl --status | grep 'assessments enabled'", "expected_stdout": "assessments enabled", "case_sensitive": "false", "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "sudo_command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "type": "exact match", "command": "systemsetup -getremotelogin", "sudo_command": "sudo systemsetup -getremotelogin", "expected_stdout": "Remote Login: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "systemsetup -getremoteappleevents", "sudo_command": "sudo systemsetup -getremoteappleevents", "expected_stdout": "Remote Apple Events: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "sudo_command": "sudo systemsetup getwakeonnetworkaccess", "expected_stdout": "Wake On Network Access: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "type": "exact match", "command": "systemsetup getusingnetworktime", "sudo_command": "sudo systemsetup getusingnetworktime", "expected_stdout": "Network Time: Off", "case_sensitive": "false", "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "pmset -g", "expected_regex": ".*hibernatemode\\s+25.*", "case_sensitive": "false", "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "type": "regex match", "command": "git --version", "expected_regex": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false", "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "launchctl list", "sudo_command": "sudo launchctl list", "expected_regex": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false", "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "expected_regex": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false", "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "type": "regex match", "command": "curl --version", "expected_regex": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false", "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "fdesetup status -verbose", "expected_regex": "^.*FileVault is On.*$", "case_sensitive": "false", "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "fdesetup status -verbose", "expected_regex": "^.*device path \\=\\s+.*$", "case_sensitive": "false", "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "expected_regex": "^(0\n*)+$", "case_sensitive": "false", "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "expected_stdout": "PlugInPolicyBlock", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "expected_stdout": "PlugInPolicyBlock", "case_sensitive": "false", "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled ; fi", "expected_regex": "^(True\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; exit; fi; if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "expected_regex": ".*False$", "case_sensitive": "false", "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track ; fi", "expected_regex": "^(True\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"The attribute 'profile.default_content_setting_values.popups' does not exist\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups ; fi", "expected_regex": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Shockwave Flash'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Adobe Flash Player'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Native Client'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "type": "regex match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"'enabled': False, 'name': 'Widevine Content Decryption Module'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "type": "exact match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "type": "exact match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "type": "exact match", "command": "if [ ! -e \"/Applications/Google Chrome.app\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "expected_stdout": "Google Chrome", "case_sensitive": "false", "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "type": "exact match", "command": "id -Gn | grep -c -w admin", "expected_stdout": "0", "case_sensitive": "false", "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "sudo_command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "openssl version", "expected_stdout": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false", "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; exit 0 && exit", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "type": "exact match", "command": "softwareupdate --schedule | grep 'Automatic check is on'", "sudo_command": "sudo softwareupdate --schedule | grep 'Automatic check is on'", "expected_stdout": "Automatic check is on", "case_sensitive": "false", "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "type": "exact match", "command": "spctl --status | grep 'assessments enabled'", "expected_stdout": "assessments enabled", "case_sensitive": "false", "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "sudo_command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "type": "exact match", "command": "systemsetup -getremotelogin", "sudo_command": "sudo systemsetup -getremotelogin", "expected_stdout": "Remote Login: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "systemsetup -getremoteappleevents", "sudo_command": "sudo systemsetup -getremoteappleevents", "expected_stdout": "Remote Apple Events: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "sudo_command": "sudo systemsetup getwakeonnetworkaccess", "expected_stdout": "Wake On Network Access: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "type": "exact match", "command": "systemsetup getusingnetworktime", "sudo_command": "sudo systemsetup getusingnetworktime", "expected_stdout": "Network Time: Off", "case_sensitive": "false", "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "pmset -g", "expected_regex": ".*hibernatemode\\s+25.*", "case_sensitive": "false", "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "type": "regex match", "command": "git --version", "expected_regex": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false", "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "launchctl list", "sudo_command": "sudo launchctl list", "expected_regex": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false", "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "expected_regex": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false", "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "type": "regex match", "command": "curl --version", "expected_regex": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false", "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "fdesetup status -verbose", "expected_regex": "^.*FileVault is On.*$", "case_sensitive": "false", "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "fdesetup status -verbose", "expected_regex": "^.*device path \\=\\s+.*$", "case_sensitive": "false", "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "expected_regex": "^(0\n*)+$", "case_sensitive": "false", "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "expected_stdout": "PlugInPolicyBlock", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "expected_stdout": "PlugInPolicyBlock", "case_sensitive": "false", "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "type": "exact match", "command": "if [ $(chrome_is_installed) = \"0\" ] ; then echo \"2\" ; else ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' ; fi", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"True\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled ; fi", "expected_regex": "^(True\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; exit; fi; if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "expected_regex": ".*False$", "case_sensitive": "false", "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"True\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track ; fi", "expected_regex": "^(True\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"The attribute 'profile.default_content_setting_values.popups' does not exist\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups ; fi", "expected_regex": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"'enabled': False, 'name': 'Shockwave Flash'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"'enabled': False, 'name': 'Adobe Flash Player'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"'enabled': False, 'name': 'Native Client'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"'enabled': False, 'name': 'Widevine Content Decryption Module'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "type": "exact match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "type": "exact match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "type": "exact match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "expected_stdout": "Google Chrome", "case_sensitive": "false", "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
diff --git a/scripts/api.sh b/scripts/api.sh
index c94a2bc..f7225d6 100644
--- a/scripts/api.sh
+++ b/scripts/api.sh
@@ -23,3 +23,13 @@ function homebrew_is_installed {
         echo 0
     fi
 }
+
+function chrome_is_installed {
+    #detects whether Google Chrome is installed
+    TEST=$(mdfind kMDItemCFBundleIdentifier = 'com.google.Chrome')
+    if [ -n "$TEST" ] ; then
+        echo 1
+    else
+        echo 0
+    fi
+}

From 99564e3cf039651d2e754ea2b52e795ed23c683b Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Sun, 7 Aug 2016 23:45:08 -0400
Subject: [PATCH 05/43] add details about versioning

satisfies https://github.com/kristovatlas/osx-config-check/issues/110
---
 CONTRIBUTING.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 84b49ae..a61a41c 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -42,3 +42,18 @@ To "install" this pre-commit hook, copy it to the `.git/hooks` directory contain
 ## Modifying Python files
 
 You SHOULD use `pylint` on any Python files you modify before submitting your modifications. Please attempt to avoid lowering the `pylint` score of these files.
+
+## Versioning
+
+The osx-config-check project aims to use [Semantic Versioning 2.0.0](http://semver.org/spec/v2.0.0.html).
+
+1. A major version number is incremented when an incompatible change is made either to the Hjson syntax for a config check or when an incompatible change is made to api.sh functions (e.g. a function is removed or its prototype modified).
+2. A minor version number is incremented when a feature is added that is backwards-compatible, including:
+  * A new element is added to the Hjson syntax that is compatible with existing config checks
+  * A new function is added to api.sh
+3. A patch version number is incremented when a bug is fixed in a backward-compatible way, including:
+  * Changes to bash commands
+  * Changes to the contents of scripts
+  * Typos in code or documentation
+
+New versions are produced by merging stable changes from the [`develop`](https://github.com/kristovatlas/osx-config-check/tree/develop) branch to the [`master`](https://github.com/kristovatlas/osx-config-check/tree/master) branch, and by tagging them as a new release.

From 32150c1e0c5b500348614c5e63c9320540ca98ee Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Sun, 7 Aug 2016 23:56:26 -0400
Subject: [PATCH 06/43] update syntax notes at the top of the Hjson file

---
 osx-config.hjson | 36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 25a9572..a46463d 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -10,12 +10,16 @@
         `description` is a human-readable string describing the configuration being checked. (REQUIRED FIELD)
         `confidence` indicates subjective estimation of negative side-effects. valid values: "required", "recommended", "experimental". (REQUIRED FIELD)
         `reference` provides a link to where a user can find more information about this configuration, or a citation of where this configuration was taken from. (OPTIONAL FIELD)
-        `type` is "exact match" or "regex match". (REQUIRED FIELD)
-        `command` is the command you want to verify the output of. Should not contain sudo. (OPTIONAL FIELD)
-        `sudo_command` a version of the command that requires elevated privileges should the `command` version fail to pass. (OPTIONAL FIELD)
-        `expected_stdout` is the stdout string to match if type is "exact match". (REQUIRED FIELD -- this or `expected_regex`)
-        `expected_regex` is the regex to match against stdout if type is "regex match". (REQUIRED FIELD -- this or `expected_stdout`)
-        `case_sensitive` is "true" or "false". (REQUIRED FIELD)
+        `tests`: // is an ordered array of test objects. (REQUIRED FIELD, should not be empty)
+        [
+            {
+                `type` is "exact match" or "regex match". (REQUIRED FIELD)
+                `command` is the command you want to verify the output of (REQUIRED FIELD)
+                `command_pass` is the value that `command`'s output should match. If it matches, all tests pass and subsequent tests for this config are not evaluated. (OPTIONAL FIELD)
+                `command_fail` is the value that `command`'s output should NOT match. If it matches, all tests fail and subsequent tests for this config are not evaluated. (OPTIONAL FIELD)
+                `case_sensitive` is "true" or "false" depending on whether the `command_pass` and/or `command_fail` values are case-sensitive. (REQUIRED FIELD)
+            }
+        ]
         `fix`: // is a JSON object that specifies how to remediate a broken configuration (REQUIRED FIELD, should not be empty)
         {
             `command` is the command that you use to attempt automatic remediation without sudo privileges. (OPTIONAL FIELD)
@@ -29,10 +33,22 @@
     {
         description: "The OSX application firewall is enabled."
         confidence: "required"
-        type: "exact match"
-        command: "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            },
+            {
+                type: "exact match"
+                command: "sudo defaults -currentHost read /Library/Preferences/com.apple.alf globalstate"
+                command_pass: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"

From d17ef1c24c5aedd7e7a3bdf29953d9be4da9761f Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Sun, 7 Aug 2016 23:57:06 -0400
Subject: [PATCH 07/43] remove samples in comments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These are no longer needed — the config checks below are equally good
samples.
---
 osx-config.hjson | 47 -----------------------------------------------
 1 file changed, 47 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index a46463d..1ffad6e 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -28,53 +28,6 @@
         }
     }
 ]
-/* samples:
-[
-    {
-        description: "The OSX application firewall is enabled."
-        confidence: "required"
-        tests:
-        [
-            {
-                type: "exact match"
-                command: "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate"
-                command_pass: "1"
-                command_fail: "0"
-                case_sensitive: "false"
-            },
-            {
-                type: "exact match"
-                command: "sudo defaults -currentHost read /Library/Preferences/com.apple.alf globalstate"
-                command_pass: "1"
-                case_sensitive: "false"
-            }
-        ]
-        fix:
-        {
-            command: "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"
-            sudo_command: "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"
-            manual:
-                1. Open System Preferences.
-                2. Select "Security & Privacy".
-                3. Select "Firewall".
-                4. If necessary, click the lock icon in the bottom left corner and enter your administrator credentials.
-                5. Select "Turn On Firewall".
-        }
-    },
-    {
-        description: "The File Vault key is destroyed when going to standby mode."
-        confidence: "required"
-        type: "regex match"
-        command: "pmset -g"
-        expected_regex: ".*DestroyFVKeyOnStandby\\s+1.*"
-        case_sensitive: "false"
-        fix:
-        {
-            command: "pmset -a destroyfvkeyonstandby 1"
-            sudo_command: "sudo pmset -a destroyfvkeyonstandby 1"
-        }
-    }
-]
 */
 /* NOTES:
     * back-slashes '\' must be escaped with a double black-slash, i.e. '\\'

From 5ffc90bee37d7493663de9385ec4f89d3d6b9e64 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 8 Aug 2016 00:15:20 -0400
Subject: [PATCH 08/43] move code according to latest order in Hjson spec

---
 app.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/app.py b/app.py
index c22a034..d1167dd 100644
--- a/app.py
+++ b/app.py
@@ -149,9 +149,16 @@ def read_config(config_filename):
         if '_comment' in config_check:
             continue
 
+        #Config MUST specify a description of the check
+        description = config_check['description']
+        dprint("Description: %s" % description)
+
         #Config MUST specify a command to check the status of the system
         command = config_check['command']
 
+        #Config MUST indicate the confidence of the configuration check
+        confidence = config_check['confidence']
+
         #Config MUST specify either expected STDOUT or regex pattern
         expected = None
         comparison_type = None
@@ -171,13 +178,6 @@ def read_config(config_filename):
         if config_check['case_sensitive'] in ('true', True):
             case_sensitive = True
 
-        #Config MUST specify a description of the check
-        description = config_check['description']
-        dprint("Description: %s" % description)
-
-        #Config MUST indicate the confidence of the configuration check
-        confidence = config_check['confidence']
-
         #Config MUST specify a fix object
         assert 'fix' in config_check
         assert isinstance(config_check['fix'], dict)

From eab2c1655d5831370a71c3d113e105fa91b1d6de Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 8 Aug 2016 22:48:46 -0400
Subject: [PATCH 09/43] Break tests into list with individual pass and fail
 states
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit changes the Hjson syntax to support a list of check tests,
each of which can pass or fail early and prevent subsequent tests from
being evaluated. This simplifies the syntax for commands that have
simple prerequisites such as “is this app even installed?”

An early fail state also helps avoid running checks with sudo privy
unnecessarily.

QA: Did lots of manual testing, running the app with debug print mode
enabled and carefully reviewing output. Also confirmed that tests work
correct when Google Chrome is installed or not installed, now that
Chrome-related checks are now making use of this change.
---
 app.py           |  213 +++---
 osx-config.hjson | 1765 +++++++++++++++++++++++++++++++++-------------
 osx-config.json  |    2 +-
 3 files changed, 1405 insertions(+), 575 deletions(-)

diff --git a/app.py b/app.py
index d1167dd..bfd6a73 100644
--- a/app.py
+++ b/app.py
@@ -4,7 +4,6 @@
 import time
 import datetime
 from os.path import expanduser
-import sys
 import re
 from subprocess import Popen, PIPE, STDOUT
 from warnings import warn
@@ -50,6 +49,10 @@
                                       'EXPERIMENTAL',
                                       const.COLORS['ENDC']))
 
+const.SUDO_STR = ("%s%ssudo%s" %
+                  (const.COLORS['BOLD'], const.COLORS['RED'],
+                   const.COLORS['ENDC']))
+
 def get_timestamp():
     """Genereate a current timestamp that won't break a filename."""
     timestamp_format = '%Y-%m-%d_%H-%M-%S'
@@ -61,6 +64,12 @@ def get_timestamp():
 
 glob_check_num = 1
 
+class CheckResult(object):
+    """Each test can have one of three results, informing the next step."""
+    explicit_pass = 1
+    explicit_fail = 2
+    no_pass = 3
+
 class Confidence(object):
     """Likelihood that a configuration will create negative side-effects.
 
@@ -73,21 +82,19 @@ class Confidence(object):
 
 class ConfigCheck(object):
     """Encapsulates configuration to check in operating system."""
-    check_type = ''
-    expected_stdout = ''
-
-    def __init__(self, command, comparison_type, expected, case_sensitive,
-                 description, confidence, fix=None, sudo_fix=None,
-                 manual_fix=None, sudo_command=None):
+    def __init__(self, tests, description, confidence, fix=None, sudo_fix=None,
+                 manual_fix=None):
         """
         Args:
 
-            command (str): The command to run to check OS configuration.
-            comparison_type (str): "exact match" or "regex match"
-            expected (str): The expected string to match or regex to match
-                against the stdout of the specified `command`.
-            case_senstive (bool): Specifies whether `expected` is a
-                case-sensitive comparison.
+            tests (List[dict]): The ordered list of tests to be performed, each
+                a `dict` with these attributes including command_pass and/or
+                command_fail:
+                    * type (str): "exact match" or "regex match"
+                    * command (str)
+                    * command_pass (Optional[str])
+                    * command_fail (Optional[str])
+                    * case_sensitive (bool)
             description (str): A human-readable description of the configuration
                 being checked.
             confidence (str): "required", "recommended", or "experimental"
@@ -99,16 +106,17 @@ def __init__(self, command, comparison_type, expected, case_sensitive,
                 change.
             manual_fix (Optional[str]): Instructions to output to the user to
                 manually remediate if a config cannot be fixed automatically.
-            sudo_command (Optional[str]): A version of `command` that
-                requests administrative privileges from the operating system.
-                This will only be executed if `command` does not produce the
-                desired results.
         """
-        assert comparison_type in ('exact match', 'regex match')
-        self.command = command
-        self.comparison_type = comparison_type
-        self.expected = expected
-        self.case_sensitive = case_sensitive
+        assert isinstance(tests, list)
+        assert len(tests) > 0
+        for test in tests:
+            assert isinstance(test, dict), "%s" % str(test)
+            assert test['type'] in ('exact match', 'regex match')
+            assert 'command' in test
+            assert 'command_pass' in test or 'command_fail' in test
+            test['case_sensitive'] = bool(test['case_sensitive'])
+        self.tests = tests
+
         self.description = description
         if confidence == 'required':
             self.confidence = Confidence.required
@@ -123,7 +131,6 @@ def __init__(self, command, comparison_type, expected, case_sensitive,
         self.fix = fix #default: None
         self.sudo_fix = sudo_fix #default: None
         self.manual_fix = manual_fix #default: None
-        self.sudo_command = sudo_command #default: None
 
     def __str__(self):
         return str(self.__dict__)
@@ -153,30 +160,11 @@ def read_config(config_filename):
         description = config_check['description']
         dprint("Description: %s" % description)
 
-        #Config MUST specify a command to check the status of the system
-        command = config_check['command']
-
         #Config MUST indicate the confidence of the configuration check
         confidence = config_check['confidence']
 
-        #Config MUST specify either expected STDOUT or regex pattern
-        expected = None
-        comparison_type = None
-        if config_check['type'] == 'exact match':
-            comparison_type = 'exact match'
-            expected = config_check['expected_stdout']
-        elif config_check['type'] == 'regex match':
-            comparison_type = 'regex match'
-            expected = config_check['expected_regex']
-        else:
-            sys.exit("Expected comparison string does not match 'type' field.")
-
-        #Config MUST specify whether the commands checking the status are case
-        #sensitive
-        case_sensitive = False
-        assert config_check['case_sensitive'] in ('true', True, 'false', False)
-        if config_check['case_sensitive'] in ('true', True):
-            case_sensitive = True
+        #Config MUST include at least one test obj
+        tests = config_check['tests']
 
         #Config MUST specify a fix object
         assert 'fix' in config_check
@@ -197,22 +185,13 @@ def read_config(config_filename):
         if 'manual' in config_check['fix']:
             manual_fix = config_check['fix']['manual']
 
-        #Config MAY specify a sudo_command, a sudo version of "command"
-        sudo_command = None
-        if 'sudo_command' in config_check:
-            sudo_command = config_check['sudo_command']
-
         config_check_obj = ConfigCheck(
-            command=command,
-            comparison_type=comparison_type,
-            expected=expected,
-            case_sensitive=case_sensitive,
+            tests=tests,
             description=description,
             confidence=confidence,
             fix=fix,
             sudo_fix=sudo_fix,
-            manual_fix=manual_fix,
-            sudo_command=sudo_command)
+            manual_fix=manual_fix)
         config_checks.append(config_check_obj)
 
     return config_checks
@@ -220,45 +199,62 @@ def read_config(config_filename):
 def run_check(config_check, last_attempt=False, quiet_fail=False):
     """Perform the specified configuration check against the OS.
 
-    This will perform the check once without sudo privileges; if that fails and
-    a sudo version of this check has been specified, that will be performed,
-    with the final result value being a logical-or of the outcomes.
+    Each config check may specify multiple test cases with early-succeed and/or
+    early-fail parameters.
 
     Args:
-        config_check (`ConfigCheck`): The check to perform.
+        config_check (`ConfigCheck`): The check to perform. May contain multiple
+            commands to test.
         last_attempt (bool): Is this the last time the script checks this
             configuration, or will we check again during this run?
         quiet_fail (bool): Suppress print failed results to stdout?
             Default: False.
 
-    Returns:
-        bool: Whether check passed.
+    Returns: bool: Whether check passed.
+
+    Raises: ValueError if result of _execute_check is not valid.
     """
     assert isinstance(config_check, ConfigCheck)
 
-    passed = _execute_check(config_check.command, config_check.comparison_type,
-                            config_check.expected, config_check.case_sensitive)
-
-    if not passed and config_check.sudo_command is not None:
-        fancy_sudo_command = re.sub("sudo",
-                                    ("%s%ssudo%s" % (const.COLORS['BOLD'],
-                                                     const.COLORS['RED'],
-                                                     const.COLORS['ENDC'])),
-                                    config_check.sudo_command)
-        print(("The next configuration check requires elevated privileges; %s"
-               "you may be prompted for your current OS X user's password "
-               "below%s. The command to be executed is: '%s'") %
-              (const.COLORS['BOLD'], const.COLORS['ENDC'],
-               fancy_sudo_command))
-        passed = _execute_check(config_check.sudo_command,
-                                config_check.comparison_type,
-                                config_check.expected,
-                                config_check.case_sensitive)
+    passed = False
+    for test in config_check.tests:
+        #alert user if he might get prompted for admin privs due to sudo use
+        if 'sudo ' in test['command']:
+            fancy_sudo_command = re.sub("sudo", const.SUDO_STR, test['command'])
+            print(("The next configuration check requires elevated privileges; "
+                   "%syou may be prompted for your current OS X user's "
+                   "password  below%s. The command to be executed is: '%s'") %
+                  (const.COLORS['BOLD'], const.COLORS['ENDC'],
+                   fancy_sudo_command))
+
+        command_pass = None
+        if 'command_pass' in test:
+            command_pass = str(test['command_pass'])
+        command_fail = None
+        if 'command_fail' in test:
+            command_fail = str(test['command_fail'])
+        result = _execute_check(command=test['command'],
+                                comparison_type=test['type'],
+                                case_sensitive=test['case_sensitive'],
+                                command_pass=command_pass,
+                                command_fail=command_fail)
+        if result == CheckResult.explicit_pass:
+            dprint("Test passed exlicitly for '%s'" % test['command'])
+            passed = True
+            break
+        elif result == CheckResult.explicit_fail:
+            dprint("Test failed exlicitly for '%s'" % test['command'])
+            break
+        elif result == CheckResult.no_pass:
+            dprint("Test did not pass for '%s'" % test['command'])
+            continue
+        else:
+            raise ValueError("Invalid return value from _execute_check.")
 
     if passed or not quiet_fail:
         msg = ("\nCHECK #%d: %s... %s" % (glob_check_num,
-                                        config_check.description,
-                                        _get_result_str(passed)))
+                                          config_check.description,
+                                          _get_result_str(passed)))
         print msg
         if const.WRITE_TO_LOG_FILE:
             log_to_file(msg)
@@ -284,18 +280,36 @@ def log_to_file(string):
 def _get_result_str(result_bool):
     return const.PASSED_STR if result_bool else const.FAILED_STR
 
-def _execute_check(command, comparison_type, expected, case_sensitive):
+def _execute_check(command, comparison_type, case_sensitive, command_pass=None,
+                   command_fail=None):
     """Helper function for `run_check` -- executes command and checks result.
 
+    This check can result in three conditions:
+    1. The check explicitly passed, and no subsequent tests need to be performed
+        for this check. Returns True.
+    2. The check explicitly failed, and no subsequent tests need to be performed
+        for this check. Raises ConfigCheckFailedExplicitly.
+    3. The check produced another result, and if there is another test
+        available, it
+
     Args:
         command (str): The command to execute to perform the check.
         comparison_type (str): 'exact match' or 'regex match'
-        expected (str): Result expected in output, either exact match or regex.
         case_sensitive (bool): Whether the comparison to output is case
-            senstive.
+            sensitive.
+        command_pass (str or None): The output of the command which constitutes
+            an explicit pass for the test, either as an exact string or regex
+            depending on `comparison_type`.
+        command_fail (str or None): The output of the command which constitutes
+            an explicit fail for the test, either as an exact string or regex
+            depending on `comparison_type`.
 
     Returns:
-       bool: Whether the output matched the expected output of the command.
+       `CheckResult`: explicit pass, explicit failure, or lacking of passing for
+            this test only.
+
+    Raises:
+        ValueError if `comparison_type` is not an expected value
     """
     #http://stackoverflow.com/questions/7129107/python-how-to-suppress-the-output-of-os-system
     command = "source %s ; %s" % (const.API_FILENAME, command)
@@ -306,15 +320,36 @@ def _execute_check(command, comparison_type, expected, case_sensitive):
 
     dprint("Command executed to check config: '%s'" % str(command))
     dprint("Result of command: '%s'" % str(stdout))
-    dprint("Expected this result: '%s'" % str(expected))
+    dprint("Explicit pass condition for command: '%s'" % str(command_pass))
+    dprint("Explicit fail condition for command: '%s'" % str(command_fail))
 
     if comparison_type == 'exact match':
         if case_sensitive:
-            return stdout == expected
+            if command_fail is not None and stdout == command_fail:
+                return CheckResult.explicit_fail
+            if command_pass is not None and stdout == command_pass:
+                return CheckResult.explicit_pass
+            else:
+                return CheckResult.no_pass
         else:
-            return stdout.lower() == str(expected).lower()
+            if (command_fail is not None and
+                    stdout.lower() == str(command_fail.lower())):
+                return CheckResult.explicit_fail
+            if (command_pass is not None and
+                    stdout.lower() == str(command_pass).lower()):
+                return CheckResult.explicit_pass
+            else:
+                return CheckResult.no_pass
     elif comparison_type == 'regex match':
-        return is_match(expected, stdout, ignore_case=(not case_sensitive))
+        ignore_case = not case_sensitive
+        if (command_fail is not None and
+                is_match(command_fail, stdout, ignore_case=ignore_case)):
+            return CheckResult.explicit_fail
+        if (command_pass is not None and
+                is_match(command_pass, stdout, ignore_case=ignore_case)):
+            return CheckResult.explicit_pass
+        else:
+            return CheckResult.no_pass
     else:
         raise ValueError
 
diff --git a/osx-config.hjson b/osx-config.hjson
index 1ffad6e..2da4f17 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -39,10 +39,15 @@
         description: "The System Preferences application is currently closed."
         confidence: "required"
         reference: "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html"
-        type: "exact match"
-        command: "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'"
-        expected_stdout: "2" //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'"
+                command_pass: "2" //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -52,10 +57,15 @@
     {
         description: "Current user is a non-admin account."
         confidence: "required"
-        type: "exact match"
-        command: "id -Gn | grep -c -w admin"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "id -Gn | grep -c -w admin"
+                command_pass: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             manual:
@@ -75,10 +85,16 @@
         description: "The OSX application firewall is enabled (system-wide)."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "exact match"
-        command: "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"
@@ -90,10 +106,16 @@
         description: "The OSX application firewall is enabled (current user only)."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"
@@ -104,11 +126,23 @@
         description: "A password is required to wake the computer from sleep or screen saver (system-wide)."
         confidence: "required"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"
-        type: "exact match"
-        command: "defaults read /Library/Preferences/com.apple.screensaver askForPassword"
-        sudo_command: "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults read /Library/Preferences/com.apple.screensaver askForPassword"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            },
+            {
+                type: "exact match"
+                command: "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"
@@ -119,10 +153,15 @@
         description: "A password is required to wake the computer from sleep or screen saver (current user only)."
         confidence: "required"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"
-        type: "exact match"
-        command: "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword"
+                command_pass: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"
@@ -133,11 +172,23 @@
         description: "There is no delay between starting the screen saver and locking the machine (system-wide)."
         confidence: "required"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"
-        type: "exact match"
-        command: "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay"
-        sudo_command: "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            },
+            {
+                type: "exact match"
+                command: "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"
@@ -150,10 +201,16 @@
         description: "There is no delay between starting the screen saver and locking the machine (current user only)."
         confidence: "required"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"
@@ -164,10 +221,17 @@
         description: "Logging is enabled for the operating system."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "exact match"
-        command: "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"
@@ -178,11 +242,17 @@
         description: "Homebrew analytics are disabled."
         confidence: "required"
         reference: "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md"
-        type: "exact match"
-        //test based on: https://github.com/Homebrew/brew/blob/master/Library/Homebrew/utils/analytics.sh
-        command: "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                //test based on: https://github.com/Homebrew/brew/blob/master/Library/Homebrew/utils/analytics.sh
+                command: "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             //TODO: This fix works if you login/logout, but I haven't been able to get a fix working that doesn't require login/logout. The enironment variable is context dependent, and it's not clear how to set the variable in the parent-most environment without this action.
@@ -197,10 +267,16 @@
         description: "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)"
         confidence: "recommended"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "exact match"
-        command: "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"
@@ -213,10 +289,16 @@
         description: "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)"
         confidence: "recommended"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true"
@@ -229,10 +311,16 @@
         description: "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide)."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "exact match"
-        command: "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"
@@ -245,10 +333,16 @@
         description: "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only)."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"
@@ -259,10 +353,16 @@
         description: "Captive portal for connecting to new networks is disabled to prevent MITM attacks."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "exact match"
-        command: "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"
@@ -274,10 +374,15 @@
         description: "OpenSSL is up-to-date."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "exact match"
-        command: "openssl version"
-        expected_stdout: "OpenSSL 1.0.2h  3 May 2016"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "openssl version"
+                command_pass: "OpenSSL 1.0.2h  3 May 2016"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple"
@@ -289,10 +394,16 @@
         description: "Hidden files are displayed in Finder."
         confidence: "recommended"
         reference: "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111"
-        type: "exact match"
-        command: "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"
@@ -304,11 +415,17 @@
         description: "All application software is currently up to date."
         confidence: "required"
         reference: "https://github.com/SummitRoute/osxlockdown/"
-        type: "exact match"
-        command:
-            LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* "\([0-9\\-]*\) .*$@\1@'); if [ "$LASTUPDATE" = "$(date +%Y-%m-%d)" ];then echo 1 && exit; fi; exit 0 && exit
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* "\([0-9\\-]*\) .*$@\1@'); if [ "$LASTUPDATE" = "$(date +%Y-%m-%d)" ];then echo 1 && exit; fi; exit 0 && exit
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "softwareupdate -i -a"
@@ -320,11 +437,21 @@
         description: "Automatic check for software updates is enabled."
         confidence: "required"
         reference: "https://github.com/SummitRoute/osxlockdown/"
-        type: "exact match"
-        command: "softwareupdate --schedule | grep 'Automatic check is on'"
-        sudo_command: "sudo softwareupdate --schedule | grep 'Automatic check is on'"
-        expected_stdout: "Automatic check is on"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "softwareupdate --schedule | grep -i 'Automatic check is on'"
+                command_pass: "Automatic check is on"
+                case_sensitive: "false"
+            },
+            {
+                type: "exact match"
+                command: "sudo softwareupdate --schedule | grep -i 'Automatic check is on'"
+                command_pass: "Automatic check is on"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "softwareupdate --schedule on"
@@ -335,10 +462,15 @@
         //System Preferences->Security & Privacy->General->Allow apps downloaded from
         description: "GateKeeper protection against untrusted applications is enabled."
         confidence: "required"
-        type: "exact match"
-        command: "spctl --status | grep 'assessments enabled'"
-        expected_stdout: "assessments enabled"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "spctl --status | grep -i 'assessments enabled'"
+                command_pass: "assessments enabled"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "spctl --master-enable"
@@ -350,11 +482,23 @@
         //System Preferences->Bluetooth->Turn Bluetooth Off
         description: "Bluetooth is disabled."
         confidence: "experimental"
-        type: "exact match"
-        command: "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState"
-        sudo_command: "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            },
+            {
+                type: "exact match"
+                command: "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued"
@@ -365,11 +509,23 @@
     {
         description: "The infrared receiver is disabled."
         confidence: "required"
-        type: "exact match"
-        command: "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled"
-        sudo_command: "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            },
+            {
+                type: "exact match"
+                command: "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"
@@ -380,11 +536,23 @@
     {
         description: "AirDrop file sharing is disabled."
         confidence: "required"
-        type: "exact match"
-        command: "defaults read com.apple.NetworkBrowser DisableAirDrop"
-        sudo_command: "sudo defaults read com.apple.NetworkBrowser DisableAirDrop"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults read com.apple.NetworkBrowser DisableAirDrop"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            },
+            {
+                type: "exact match"
+                command: "sudo defaults read com.apple.NetworkBrowser DisableAirDrop"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"
@@ -399,11 +567,17 @@
         description: "File sharing is disabled."
         confidence: "recommended"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"
-        type: "exact match"
-        command:
-            if [ -n "$(launchctl list | egrep AppleFileServer)" ]; then exit 1; fi; if [ -n "$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)" ]; then echo 1; exit; fi; echo 0; exit
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    if [ -n "$(launchctl list | egrep AppleFileServer)" ]; then exit 1; fi; if [ -n "$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)" ]; then echo 1; exit; fi; echo 0; exit
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"
@@ -414,11 +588,17 @@
         description: "Printer sharing is disabled."
         confidence: "required"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"
-        type: "exact match"
-        command:
-            if [ -n "$(system_profiler SPPrintersDataType | grep Shared | grep Yes)" ]; then echo 1; exit; fi; if [ -n "$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')" ]; then echo 1; exit; fi; echo 0; exit
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    if [ -n "$(system_profiler SPPrintersDataType | grep Shared | grep Yes)" ]; then echo 1; exit; fi; if [ -n "$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')" ]; then echo 1; exit; fi; echo 0; exit
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "cupsctl --no-share-printers"
@@ -428,11 +608,21 @@
         //System Preferences->Sharing->Remote Login
         description: "Remote login is disabled."
         confidence: "required"
-        type: "exact match"
-        command: "systemsetup -getremotelogin"
-        sudo_command: "sudo systemsetup -getremotelogin"
-        expected_stdout: "Remote Login: Off"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "systemsetup -getremotelogin"
+                command_pass: "Remote Login: Off"
+                case_sensitive: "false"
+            },
+            {
+                type: "exact match"
+                command: "sudo systemsetup -getremotelogin"
+                command_pass: "Remote Login: Off"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "systemsetup -f -setremotelogin off"
@@ -444,11 +634,17 @@
         //System Preferences->Sharing->Remote Management
         description: "Remote Management is disabled."
         confidence: "required"
-        type: "exact match"
-        command:
-            if [ -n "$(ps -ef | egrep "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent")" ]; then echo 1; exit; fi; echo 0; exit
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    if [ -n "$(ps -ef | egrep "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent")" ]; then echo 1; exit; fi; echo 0; exit
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"
@@ -461,11 +657,21 @@
         description: "Remote Apple events are disabled."
         confidence: "required"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"
-        type: "exact match"
-        command: "systemsetup -getremoteappleevents"
-        sudo_command: "sudo systemsetup -getremoteappleevents"
-        expected_stdout: "Remote Apple Events: Off"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "systemsetup -getremoteappleevents"
+                command_pass: "Remote Apple Events: Off"
+                case_sensitive: "false"
+            },
+            {
+                type: "exact match"
+                command: "sudo systemsetup -getremoteappleevents"
+                command_pass: "Remote Apple Events: Off"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "systemsetup -setremoteappleevents off"
@@ -479,10 +685,15 @@
         description: "Internet Sharing is disabled on all network interfaces."
         confidence: "required"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"
-        type: "exact match"
-        command: "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'"
+                command_pass: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"
@@ -494,11 +705,21 @@
         //System Preferences->Energy Saver->Wake for network access
         description: "Wake on Network Access feature is disabled."
         confidence: "required"
-        type: "exact match"
-        command: "systemsetup getwakeonnetworkaccess"
-        sudo_command: "sudo systemsetup getwakeonnetworkaccess"
-        expected_stdout: "Wake On Network Access: Off"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "systemsetup getwakeonnetworkaccess"
+                command_pass: "Wake On Network Access: Off"
+                case_sensitive: "false"
+            },
+            {
+                type: "exact match"
+                command: "sudo systemsetup getwakeonnetworkaccess"
+                command_pass: "Wake On Network Access: Off"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "systemsetup -setwakeonnetworkaccess off"
@@ -510,11 +731,23 @@
         //Disables NTPd. There are definitely some downsides to this; some security software requires synchronized clocks, so this increases the risk of getting out of sync. I think most of this software will fail-safe, though. Disabling this has various benefits. See discussion here: https://github.com/SummitRoute/osxlockdown/issues/18
         description: "Automatic setting of time and date is disabled."
         confidence: "recommended"
-        type: "exact match"
-        command: "systemsetup getusingnetworktime"
-        sudo_command: "sudo systemsetup getusingnetworktime"
-        expected_stdout: "Network Time: Off"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "systemsetup getusingnetworktime"
+                command_pass: "Network Time: Off"
+                command_fail: "Network Time: On"
+                case_sensitive: "false"
+            },
+            {
+                type: "exact match"
+                command: "sudo systemsetup getusingnetworktime"
+                command_pass: "Network Time: Off"
+                command_fail: "Network Time: On"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "systemsetup setusingnetworktime off"
@@ -527,11 +760,17 @@
         description: "IPv6 is disabled on all network interfaces."
         confidence: "recommended"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"
-        type: "exact match"
-        command:
-            networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo "$i" | grep "IPv6: Automatic") && if [ -n "$SUPPORT" ]; then echo 1; fi; done; echo 0; exit
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo "$i" | grep "IPv6: Automatic") && if [ -n "$SUPPORT" ]; then echo 1; fi; done; echo 0; exit
+                command_pass: "0"
+                //command_fail would be one or more instances of the character "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -542,11 +781,17 @@
         description: "An administrator password is required to change system-wide preferences."
         confidence: "required"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"
-        type: "exact match"
-        command:
-            if [ -n "$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')" ]; then echo 0; else echo 1; fi
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    if [ -n "$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')" ]; then echo 0; else echo 1; fi
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             //TODO: Add warning to user before fix command is run that she will be prompted for her admin credentials. this requires a new field
@@ -558,10 +803,16 @@
         description: "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)"
         confidence: "required"
         reference: "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/"
-        type: "exact match"
-        command: "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"
@@ -573,10 +824,16 @@
         //Once this set of configurations is proven stable, this can be upgraded from "experimental" to "recommended". We may want to warn the user first that waking will be slower and require authenticating twice.
         confidence: "experimental"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "exact match"
-        command: "bash ./scripts/DestroyFVKeyOnStandby_check.sh"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "bash ./scripts/DestroyFVKeyOnStandby_check.sh"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             //Additional configurations are required to make this setting not fight with powernap/standby/autopoweroff. See: https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/124
@@ -588,10 +845,15 @@
         description: "The system will store a copy of memory to persistent storage, and will remove power to memory."
         confidence: "recommended"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "regex match"
-        command: "pmset -g"
-        expected_regex: ".*hibernatemode\\s+25.*"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "regex match"
+                command: "pmset -g"
+                command_pass: ".*hibernatemode\\s+25.*"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "pmset -a hibernatemode 25"
@@ -601,10 +863,15 @@
     {
         description: "git is up to date or is not installed"
         confidence: "required"
-        type: "regex match"
-        command: "git --version"
-        expected_regex: ".*(command not found|2\\.8\\.2).*"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "regex match"
+                command: "git --version"
+                command_pass: ".*(command not found|2\\.8\\.2).*"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             //This will make sure latest git is installed via homebrew and make make apple's version of git non-competitive
@@ -616,11 +883,21 @@
         description: "Apple Push Notifications are disabled."
         confidence: "recommended"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "regex match"
-        command: "launchctl list"
-        sudo_command: "sudo launchctl list"
-        expected_regex: "^((?!com\\.apple\\.apsd).)*$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "regex match"
+                command: "launchctl list"
+                command_pass: "^((?!com\\.apple\\.apsd).)*$"
+                case_sensitive: "false"
+            },
+            {
+                type: "regex match"
+                command: "sudo launchctl list"
+                command_pass: "^((?!com\\.apple\\.apsd).)*$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"
@@ -631,10 +908,15 @@
     {
         description: "Google DNS servers are used by default on all network interfaces."
         confidence: "recommended"
-        type: "regex match"
-        command: "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' "
-        expected_regex: "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "regex match"
+                command: "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' "
+                command_pass: "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"
@@ -643,10 +925,15 @@
     {
         description: "The curl utility is up to date or absent from the system."
         confidence: "required"
-        type: "regex match"
-        command: "curl --version"
-        expected_regex: ".*(command not found|7\\.48\\.0).*"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "regex match"
+                command: "curl --version"
+                command_pass: ".*(command not found|7\\.48\\.0).*"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"
@@ -657,10 +944,15 @@
         description: "FileVault file system encryption is enabled."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "regex match"
-        command: "fdesetup status -verbose"
-        expected_regex: "^.*FileVault is On.*$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "regex match"
+                command: "fdesetup status -verbose"
+                command_pass: "^.*FileVault is On.*$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             /*
@@ -686,10 +978,15 @@
         description: "FileVault file system encryption is enabled at the root directory."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
-        type: "regex match"
-        command: "fdesetup status -verbose"
-        expected_regex: "^.*device path \\=\\s+.*$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "regex match"
+                command: "fdesetup status -verbose"
+                command_pass: "^.*device path \\=\\s+.*$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             manual: "Sorry, no instructions are currently available to remediate this issue."
@@ -700,12 +997,17 @@
         description: "The idle timer for screen saver activation is set to 10 minutes or less."
         confidence: "recommended"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"
-        type: "regex match"
-        //This is a clever way for polling settings for multiple users from the current logged in user :-)
-        command:
-            UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.*"\(.*\)"$/\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;
-        expected_regex: "^(0\n*)+$" //all zeroes
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "regex match"
+                //This is a clever way for polling settings for multiple users from the current logged in user :-)
+                command:
+                    UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.*"\(.*\)"$/\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;
+                command_pass: "^(0\n*)+$" //all zeroes
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -720,10 +1022,15 @@
         description: "The Safari application is currently closed."
         confidence: "required"
         reference: "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html"
-        type: "exact match"
-        command: "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'"
-        expected_stdout: "2" //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'"
+                command_pass: "2" //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -734,10 +1041,16 @@
         //Safari->Preferences->AutoFill->Credit cards
         description: "Safari will not auto-fill credit card data."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"
@@ -747,10 +1060,16 @@
         //Safari->Preferences->AutoFill->Using info from my Contacts card
         description: "Safari will not auto-fill your contact data."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"
@@ -760,10 +1079,16 @@
         //Safari->Preferences->AutoFill->Other forms
         description: "Safari will not auto-fill miscellaneous forms."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"
@@ -773,10 +1098,16 @@
         //Safari->Preferences->AutoFill->User names and passwords
         description: "Safari will not auto-fill usernames or passwords."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"
@@ -786,10 +1117,16 @@
         //Safari->Preferences->General->Open "safe" files after downloading
         description: "Files downloaded in Safari are not automatically opened."
         confidence: "required"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"
@@ -799,10 +1136,16 @@
         //Safari->Preferences->Privacy->Cookies and website data->Always block
         description: "Cookies and local storage are always blocked in Safari."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"
@@ -813,10 +1156,16 @@
         //Note: Extensions are often a persistence mechanism for browser-based malware.
         description: "Safari extensions are disabled."
         confidence: "required"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"
@@ -827,10 +1176,16 @@
         description: "The Safari web browser will warn when visiting known fraudulent websites."
         //I'm setting this to recommended for on the basis that there is like a privacy trade-off
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"
@@ -841,10 +1196,16 @@
         //Safari->Preferences->Security->Web Content->Enable JavaScript
         description: "JavaScript disabled in the Safari web browser."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"
@@ -854,10 +1215,16 @@
     {
         description: "JavaScript disabled in the Safari web browser (Legacy version)."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"
@@ -868,10 +1235,16 @@
         //Safari->Preferences->Security->Web Content->Block pop-up windows
         description: "Pop-up windows are blocked in the Safari web browser."
         confidence: "required"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"
@@ -882,10 +1255,16 @@
         //Safari->Preferences->Security->Web Content->Block pop-up windows
         description: "Pop-up windows are blocked in the Safari web browser (Legacy version)."
         confidence: "required"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"
@@ -896,10 +1275,16 @@
         //Safari->Preferences->Security->Web Content->Allow WebGL
         description: "The WebGL plug-in is disabled in the Safari web browser."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"
@@ -910,10 +1295,16 @@
         //Safari->Preferences->Security->Internet plug-ins->Allow Plug-ins
         description: "Plug-ins are disabled in the Safari web browser."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"
@@ -923,10 +1314,16 @@
     {
         description: "Plug-ins are disabled in the Safari web browser (Legacy version)."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"
@@ -937,10 +1334,15 @@
         //Safari->Preferences->Security->Internet plug-ins->Plug-in Settings...->When visiting other websites
         description: "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites."
         confidence: "required"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy"
-        expected_stdout: "PlugInPolicyBlock"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy"
+                command_pass: "PlugInPolicyBlock"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"
@@ -950,12 +1352,17 @@
         //Safari->Preferences->Security->Internet plug-ins->Plug-in Settings...->Java->When visiting other websites->Block
         description: "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites."
         confidence: "required"
-        type: "exact match"
-        //Note: dictionary values for PList fields are easier to handle with `PlistBuddy` instead of `defaults`.
-        command:
-            /usr/libexec/PlistBuddy -c "Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy" ~/Library/Preferences/com.apple.Safari.plist
-        expected_stdout: "PlugInPolicyBlock"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                //Note: dictionary values for PList fields are easier to handle with `PlistBuddy` instead of `defaults`.
+                command:
+                    /usr/libexec/PlistBuddy -c "Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy" ~/Library/Preferences/com.apple.Safari.plist
+                command_pass: "PlugInPolicyBlock"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -966,10 +1373,16 @@
         //Safari->Preferences->Security->Internet plug-ins->Plug-in Settings...->Java
         description: "The Java plug-in is disabled in the Safari web browser."
         confidence: "required"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"
@@ -980,10 +1393,16 @@
         //This appears to be an old method circa 2009 for disabling Java. See: http://alblue.bandlem.com/2009/05/disabling-java-in-webkit.html
         description: "The Java plug-in is disabled in the Safari web browser (Legacy version)."
         confidence: "required"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"
@@ -994,10 +1413,16 @@
         //Safari->Develop->Treat SHA-1 Certificates as Insecure
         description: "The Safari web browser is configured to treat SHA-1 certificates as insecure."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"
@@ -1008,10 +1433,16 @@
         //Safari->Preferences->Search->Preload Top Hit in the background
         description: "The Safari web browser will not pre-load webpages that rank highly as search matches."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"
@@ -1022,10 +1453,16 @@
         //Safari->Preferences->Search->Search engine->Include search engine suggestions
         description: "The Safari web browser will not include search engine suggestions for text typed in the location bar."
         confidence: "required"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"
@@ -1036,10 +1473,16 @@
         //Safari->Preferences->Search->Smart Search Field->Include Safari Suggestions
         description: "The Safari web browser's search suggestions are disabled."
         confidence: "required"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled"
-        expected_stdout: "0"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled"
+                command_pass: "0"
+                command_fail: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"
@@ -1050,10 +1493,16 @@
         //Safari->Preferences->Privacy->Website tracking->Ask websites not to track me
         description: "The Safari web browser uses the Do-Not-Track HTTP header."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"
@@ -1063,10 +1512,16 @@
     {
         description: "PDF viewing is disabled in the Safari web browser."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"
@@ -1078,10 +1533,16 @@
         //This might help prevent phishing attacks
         description: "Full website addresses are disabled in the location bar of the Safari web browser."
         confidence: "required"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField"
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField"
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"
@@ -1096,10 +1557,15 @@
         description: "The Mail application is currently closed."
         confidence: "required"
         reference: "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html"
-        type: "exact match"
-        command: "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'"
-        expected_stdout: "2" //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'"
+                command_pass: "2" //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1110,12 +1576,18 @@
         //Mail->Preferences->Viewing->Load remote content in messages
         description: "Apple Mail does not automatically load remote content in e-mails."
         confidence: "recommended"
-        type: "exact match"
-        //Either Apple Mail is not in use or remote content is disabled. I use "ls" here to resolve the "~" symbol to the fully qualified file path that "test" requires.
-        command:
-            REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n "$REMOTELOAD" ]; then echo 1; else echo 0; fi
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                //Either Apple Mail is not in use or remote content is disabled. I use "ls" here to resolve the "~" symbol to the fully qualified file path that "test" requires.
+                command:
+                    REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n "$REMOTELOAD" ]; then echo 1; else echo 0; fi
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"
@@ -1126,10 +1598,15 @@
         //Mail->Preferences->Junk Mail->Enable junk mail filtering AND When junk mail arrives: Move it to the Junk mailbox
         description: "Mail identified by Apple Mail as junk is sent to the Junk mailbox."
         confidence: "recommended"
-        type: "exact match"
-        command: "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior"
-        expected_stdout: "2"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior"
+                command_pass: "2"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"
@@ -1139,11 +1616,17 @@
         //Mail->Preferences->GPGMail->Composing->Encrypt new messages by default
         description: "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain."
         confidence: "recommended"
-        type: "exact match"
-        command:
-            AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOENCRYPT" ]; then echo 1; else echo 0; fi
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOENCRYPT" ]; then echo 1; else echo 0; fi
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"
@@ -1154,11 +1637,17 @@
         //Mail->Preferences->GPGMail->Composing->Encrypt drafts
         description: "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail."
         confidence: "required"
-        type: "exact match"
-        command:
-            AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOENCRYPTDRAFTS" ]; then echo 1; else echo 0; fi
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOENCRYPTDRAFTS" ]; then echo 1; else echo 0; fi
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"
@@ -1169,11 +1658,17 @@
         //Mail->Preferences->GPGMail->Composing->Sign new messages by default
         description: "New e-mails composed in Apple Mail are signed by GPGMail."
         confidence: "required"
-        type: "exact match"
-        command:
-            AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOSIGN" ]; then echo 1; else echo 0; fi
-        expected_stdout: "1"
-         case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOSIGN" ]; then echo 1; else echo 0; fi
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"
@@ -1184,11 +1679,17 @@
         //Mail->Preferences->GPGMail->Updates->Automatically check for updates
         description: "Apple Mail with automatically check for updates to GPGMail."
         confidence: "required"
-        type: "exact match"
-        command:
-            AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOCHECK" ]; then echo 1; else echo 0; fi
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOCHECK" ]; then echo 1; else echo 0; fi
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command: "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"
@@ -1202,11 +1703,21 @@
         //Check if the Chrome app is closed -- otherwise, it may override changes this app makes.
         description: "The Google Chrome browser is currently closed."
         confidence: "required"
-        type: "exact match"
-        command:
-            if [ $(chrome_is_installed) = "0" ] ; then echo "2" ; else ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' ; fi
-        expected_stdout: "2" //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "exact match"
+                command: "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'"
+                command_pass: 2 //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
+                case_sensitive: false
+            }
+        ]
         fix:
         {
             command:
@@ -1217,11 +1728,22 @@
         //Chrome->Preferences->Show Advanced Settings->Privacy->Use a web service to help resolve navigation errors
         description: "All Google Chrome web browser profiles prevent information leakage through navigation errors."
         confidence: "recommended"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled ; fi
-        expected_regex: "^(False\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled
+                command_pass: "^(False\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1232,11 +1754,22 @@
         //Chrome->Preferences->Show Advanced Settings->Privacy->Use a prediction service to help complete searches and URLs typed in the address bar or the app launcher
         description: "All Google Chrome web browser profiles prevent information leakage through URL suggestions."
         confidence: "required"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled ; fi
-        expected_regex: "^(False\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled
+                command_pass: "^(False\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1247,11 +1780,22 @@
         //Chrome->Preferences->Show Advanced Settings->Privacy->Use a prediction service to load pages more quickly
         description: "All Google Chrome web browser profiles prevent information leakage through network prediction."
         confidence: "required"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "2"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options ; fi
-        expected_regex: "^(2\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options
+                command_pass: "^(2\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1262,11 +1806,22 @@
         //Chrome->Preferences->Show Advanced Settings->Privacy->Automatically report details of possible security incidents to Google
         description: "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google."
         confidence: "recommended"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled ; fi
-        expected_regex: "^(False\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled
+                command_pass: "^(False\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1279,11 +1834,22 @@
         description: "All Google Chrome web browser profiles have Google Safe Browsing enabled."
         confidence: "recommended"
         reference: "https://en.wikipedia.org/wiki/Google_Safe_Browsing"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "True"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled ; fi
-        expected_regex: "^(True\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled
+                command_pass: "^(True\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1294,11 +1860,22 @@
         //Chrome->Preferences->Show Advanced Settings->Privacy->Use a web service to help resolve spelling errors
         description: "All Google Chrome web browser profiles prevent information leakage through spell-checking network services."
         confidence: "recommended"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service ; fi
-        expected_regex: "^(False\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service
+                command_pass: "^(False\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1309,11 +1886,22 @@
         //Chrome->Preferences->Show Advanced Settings->Privacy->Automatically send usage statistics and crash reports to Google
         description: "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google."
         confidence: "required"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "False"; exit; fi; if [ -e "$(ls ~/Library/Application\ Support/Google/Chrome/Consent\ To\ Send\ Stats)" ]; then echo "True"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\ Support/Google/Chrome/Local\ State user_experience_metrics.reporting_enabled)
-        expected_regex: ".*False$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    if [ -e "$(ls ~/Library/Application\ Support/Google/Chrome/Consent\ To\ Send\ Stats)" ]; then echo "True"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\ Support/Google/Chrome/Local\ State user_experience_metrics.reporting_enabled)
+                command_pass: ".*False$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1324,12 +1912,23 @@
         //Chrome->Preferences->Show Advanced Settings->Privacy->Send a "Do Not Track" request with your browsing traffic
         description: "All Google Chrome web browser profiles use the Do-Not-Track HTTP header."
         confidence: "recommended"
-        type: "regex match"
-        //This check should short-circuit and match the regex if Chrome is not installed
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "True"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track ; fi
-        expected_regex: "^(True\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                //This check should short-circuit and match the regex if Chrome is not installed
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track
+                command_pass: "^(True\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1340,12 +1939,23 @@
         //Chrome->Preferences->Show Advanced Settings->Privacy->Content Settings->Pop-ups->Do not allow any site to show pop-ups (recommended)
         description: "All Google Chrome web browser profiles prevent pop-ups."
         confidence: "required"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "The attribute 'profile.default_content_setting_values.popups' does not exist"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups ; fi
-        expected_regex:
-            ^(The attribute 'profile.default_content_setting_values.popups' does not exist\n?)|(None\n?)+$
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups
+                command_pass:
+                    ^(The attribute 'profile.default_content_setting_values.popups' does not exist\n?)|(None\n?)+$
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1356,11 +1966,22 @@
         //Chrome->Preferences->Show Advanced Settings->Privacy->Content Settings->Location->Do not allow any site to track your physical location
         description: "All Google Chrome web browser profiles prevent geolocation by websites."
         confidence: "recommended"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "2"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation ; fi
-        expected_regex: "^(2\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation
+                command_pass: "^(2\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1373,11 +1994,22 @@
         description: "All Google Chrome web browser profiles block unsandboxed plug-in software."
         confidence: "recommended"
         reference: "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "2"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker ; fi
-        expected_regex: "^(2\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker
+                command_pass: "^(2\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1388,11 +2020,22 @@
         //Chrome->Preferences->Show Advanced Settings->Passwords and forms->Enable Autofill to fill out web forms in a single click
         description: "All Google Chrome web browser profiles prevent filling personal information into forms automatically."
         confidence: "required"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled ; fi
-        expected_regex: "^(False\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled
+                command_pass: "^(False\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1404,11 +2047,22 @@
         //Chrome->Preferences->Show Advanced Settings->Passwords and forms->Offer to save your web passwords.
         description: "All Google Chrome web browser profiles have disabled Password Manager."
         confidence: "recommended"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled ; fi
-        expected_regex: "^(False\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled
+                command_pass: "^(False\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1419,11 +2073,22 @@
         //Chrome->Preferences->Show Advanced Settings->Passwords and forms->Manage passwords->Auto Sign-In
         description: "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords."
         confidence: "required"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin ; fi
-        expected_regex: "^(False\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin
+                command_pass: "^(False\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1434,11 +2099,22 @@
         //Chrome->Preferences->Show Advanced Settings->Google CloudPrint->Show notifications when new printers are detected on network
         description: "All Google Chrome web browser profiles have disabled Google CloudPrint."
         confidence: "required"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled ; fi
-        expected_regex: "^(False\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled
+                command_pass: "^(False\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1451,11 +2127,22 @@
         description: "All Google Chrome web browser profiles have disabled Flash cookies."
         confidence: "required"
         reference: "https://en.wikipedia.org/wiki/Local_shared_object"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled ; fi
-        expected_regex: "^(False\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled
+                command_pass: "^(False\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1467,11 +2154,22 @@
         description: "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in."
         confidence: "required"
         reference: "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "False"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled ; fi
-        expected_regex: "^(False\n?)+$"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled
+                command_pass: "^(False\n?)+$"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             command:
@@ -1482,12 +2180,23 @@
         //chrome://plugins/->Adobe Flash Player->Disable
         description: "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in."
         confidence: "required"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "'enabled': False, 'name': 'Shockwave Flash'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
-        expected_regex:
-            ^(\[[^\[]+'enabled': False, 'name': 'Shockwave Flash'[^\]]+\]\n?)+$
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list
+                command_pass:
+                    ^(\[[^\[]+'enabled': False, 'name': 'Shockwave Flash'[^\]]+\]\n?)+$
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             //To simplify syntax, most of this logic has been stored in the "chrome_flash.sh" script
@@ -1499,12 +2208,23 @@
         //chrome://plugins/->Adobe Flash Player->Disable
         description: "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in."
         confidence: "required"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "'enabled': False, 'name': 'Adobe Flash Player'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
-        expected_regex:
-            ^(\[[^\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\]]+\]\n?)+$
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list
+                command_pass:
+                    ^(\[[^\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\]]+\]\n?)+$
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             //To simplify syntax, most of this logic has been stored in the "chrome_flash.sh" script
@@ -1517,12 +2237,23 @@
         description: "All Google Chrome web browser profiles have disabled the Native Client plug-in."
         confidence: "required"
         reference: "https://developer.chrome.com/native-client"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "'enabled': False, 'name': 'Native Client'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
-        expected_regex:
-            ^(\[[^\[]+'enabled': False, 'name': 'Native Client'[^\]]+\]\n?)+$
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list
+                command_pass:
+                    ^(\[[^\[]+'enabled': False, 'name': 'Native Client'[^\]]+\]\n?)+$
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             //To simplify syntax, most of this logic has been stored in the "chrome_nativeclient.sh" script
@@ -1534,12 +2265,23 @@
         //chrome://plugins/->Widevine Content Decryption Module->Disable
         description: "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in."
         confidence: "recommended"
-        type: "regex match"
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "'enabled': False, 'name': 'Widevine Content Decryption Module'"; else find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi
-        expected_regex:
-            ^(\[[^\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\]]+\]\n?)+$
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "regex match"
+                command:
+                    find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list
+                command_pass:
+                    ^(\[[^\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\]]+\]\n?)+$
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             //To simplify syntax, most of this logic has been stored in the "chrome_widevine.sh" script
@@ -1551,12 +2293,23 @@
         //chrome://extensions/->uBlock Origin
         description: "All Google Chrome web browser profiles have enabled the uBlock Origin extension."
         confidence: "recommended"
-        type: "exact match"
-        //This style of bash command basically prints "False" and exits any time it detects a problem in any Chrome profile, since we're looking for 100% compliance. We'll create an exception for the default System and Guest profiles, since these are not configurable through the GUI.
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "True" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
-        expected_stdout: "True"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "exact match"
+                //This style of bash command basically prints "False" and exits any time it detects a problem in any Chrome profile, since we're looking for 100% compliance. We'll create an exception for the default System and Guest profiles, since these are not configurable through the GUI.
+                command:
+                    DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
+                command_pass: "True"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             manual:
@@ -1571,12 +2324,23 @@
         //chrome://extensions/->Ghostery
         description: "All Google Chrome web browser profiles have enabled the Ghostery extension."
         confidence: "recommended"
-        type: "exact match"
-        //This style of bash command basically prints "False" and exits any time it detects a problem in any Chrome profile, since we're looking for 100% compliance. We'll create an exception for the default System and Guest profiles, since these are not configurable through the GUI.
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "True" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
-        expected_stdout: "True"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "exact match"
+                //This style of bash command basically prints "False" and exits any time it detects a problem in any Chrome profile, since we're looking for 100% compliance. We'll create an exception for the default System and Guest profiles, since these are not configurable through the GUI.
+                command:
+                    DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
+                command_pass: "True"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             manual:
@@ -1591,12 +2355,23 @@
         //chrome://extensions/->ScriptSafe
         description: "All Google Chrome web browser profiles have enabled the ScriptSafe extension."
         confidence: "experimental"
-        type: "exact match"
-        //This style of bash command basically prints "False" and exits any time it detects a problem in any Chrome profile, since we're looking for 100% compliance. We'll create an exception for the default System and Guest profiles, since these are not configurable through the GUI.
-        command:
-            if [ $(chrome_is_installed) = "0" ]; then echo "True" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
-        expected_stdout: "True"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: chrome_is_installed
+                command_pass: 0
+                case_sensitive: false
+            },
+            {
+                type: "exact match"
+                //This style of bash command basically prints "False" and exits any time it detects a problem in any Chrome profile, since we're looking for 100% compliance. We'll create an exception for the default System and Guest profiles, since these are not configurable through the GUI.
+                command:
+                    DISABLEREASONS=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v "does not exist" | grep -v "not found") ; if [[ -n $DISABLEREASONS ]] ; then echo "False" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | grep -v "Guest Profile" | grep -v "System Profile" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v "1") ; if [[ -n $BADSTATE ]] ; then echo "False" ; fi ; echo "True" ;
+                command_pass: "True"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             manual:
@@ -1610,11 +2385,16 @@
     {
         description: "Google Chrome is the default web browser."
         confidence: "recommended"
-        type: "exact match"
-        command:
-            VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper "http")[1]'
-        expected_stdout: "Google Chrome"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper "http")[1]'
+                command_pass: "Google Chrome"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             manual:
@@ -1633,11 +2413,21 @@
     {
         description: "Can read /private/var/root"
         confidence: "required"
-        type: "regex match"
-        command: "ls /private/var/root"
-        sudo_command: "sudo ls /private/var/root"
-        expected_regex: ".*Library.*"
-        case_sensitive: true
+        tests:
+        [
+            {
+                type: "regex match"
+                command: "ls /private/var/root"
+                command_pass: ".*Library.*"
+                case_sensitive: "true"
+            },
+            {
+                type: "regex match"
+                command: "sudo ls /private/var/root"
+                command_pass: ".*Library.*"
+                case_sensitive: "true"
+            }
+        ]
         fix:
         {
             manual: ""
@@ -1648,11 +2438,16 @@
     {
         description: "DEBUG for api.sh"
         confidence: "required"
-        type: "exact match"
-        command:
-            echo $(homebrew_is_installed)
-        expected_stdout: "1"
-        case_sensitive: "false"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    echo $(homebrew_is_installed)
+                command_pass: "1"
+                case_sensitive: "false"
+            }
+        ]
         fix:
         {
             manual: "blah"
diff --git a/osx-config.json b/osx-config.json
index 4f646ae..afac3e1 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "type": "exact match", "command": "id -Gn | grep -c -w admin", "expected_stdout": "0", "case_sensitive": "false", "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "sudo_command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "openssl version", "expected_stdout": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false", "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; exit 0 && exit", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "type": "exact match", "command": "softwareupdate --schedule | grep 'Automatic check is on'", "sudo_command": "sudo softwareupdate --schedule | grep 'Automatic check is on'", "expected_stdout": "Automatic check is on", "case_sensitive": "false", "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "type": "exact match", "command": "spctl --status | grep 'assessments enabled'", "expected_stdout": "assessments enabled", "case_sensitive": "false", "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "sudo_command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "sudo_command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "type": "exact match", "command": "systemsetup -getremotelogin", "sudo_command": "sudo systemsetup -getremotelogin", "expected_stdout": "Remote Login: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "systemsetup -getremoteappleevents", "sudo_command": "sudo systemsetup -getremoteappleevents", "expected_stdout": "Remote Apple Events: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "sudo_command": "sudo systemsetup getwakeonnetworkaccess", "expected_stdout": "Wake On Network Access: Off", "case_sensitive": "false", "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "type": "exact match", "command": "systemsetup getusingnetworktime", "sudo_command": "sudo systemsetup getusingnetworktime", "expected_stdout": "Network Time: Off", "case_sensitive": "false", "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "pmset -g", "expected_regex": ".*hibernatemode\\s+25.*", "case_sensitive": "false", "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "type": "regex match", "command": "git --version", "expected_regex": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false", "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "launchctl list", "sudo_command": "sudo launchctl list", "expected_regex": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false", "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "expected_regex": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false", "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "type": "regex match", "command": "curl --version", "expected_regex": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false", "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "fdesetup status -verbose", "expected_regex": "^.*FileVault is On.*$", "case_sensitive": "false", "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "type": "regex match", "command": "fdesetup status -verbose", "expected_regex": "^.*device path \\=\\s+.*$", "case_sensitive": "false", "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "expected_regex": "^(0\n*)+$", "case_sensitive": "false", "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "expected_stdout": "PlugInPolicyBlock", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "expected_stdout": "PlugInPolicyBlock", "case_sensitive": "false", "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "expected_stdout": "0", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "expected_stdout": "1", "case_sensitive": "false", "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "type": "exact match", "command": "if [ $(chrome_is_installed) = \"0\" ] ; then echo \"2\" ; else ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' ; fi", "expected_stdout": "2", "case_sensitive": "false", "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"True\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled ; fi", "expected_regex": "^(True\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; exit; fi; if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "expected_regex": ".*False$", "case_sensitive": "false", "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"True\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track ; fi", "expected_regex": "^(True\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"The attribute 'profile.default_content_setting_values.popups' does not exist\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups ; fi", "expected_regex": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"2\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker ; fi", "expected_regex": "^(2\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"False\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled ; fi", "expected_regex": "^(False\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"'enabled': False, 'name': 'Shockwave Flash'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"'enabled': False, 'name': 'Adobe Flash Player'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"'enabled': False, 'name': 'Native Client'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "type": "regex match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"'enabled': False, 'name': 'Widevine Content Decryption Module'\"; else find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list ; fi", "expected_regex": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false", "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "type": "exact match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "type": "exact match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "type": "exact match", "command": "if [ $(chrome_is_installed) = \"0\" ]; then echo \"True\" ; exit ; fi ; DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "expected_stdout": "True", "case_sensitive": "false", "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "expected_stdout": "Google Chrome", "case_sensitive": "false", "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; exit 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file

From 10de7a022a9b53b9432a630ac1bcf48e8565633c Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Fri, 26 Aug 2016 17:23:15 -0400
Subject: [PATCH 10/43] fix typo in test for "All application software is
 currently up to date"

fulfills issue #115
---
 osx-config.hjson | 2 +-
 osx-config.json  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 2da4f17..518ee6e 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -420,7 +420,7 @@
             {
                 type: "exact match"
                 command:
-                    LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* "\([0-9\\-]*\) .*$@\1@'); if [ "$LASTUPDATE" = "$(date +%Y-%m-%d)" ];then echo 1 && exit; fi; exit 0 && exit
+                    LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* "\([0-9\\-]*\) .*$@\1@'); if [ "$LASTUPDATE" = "$(date +%Y-%m-%d)" ];then echo 1 && exit; fi; echo 0 && exit
                 command_pass: "1"
                 command_fail: "0"
                 case_sensitive: "false"
diff --git a/osx-config.json b/osx-config.json
index afac3e1..57969b4 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; exit 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file

From 4ec64c59a648e447eb9f77a0229f71178b5adc10 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Sun, 28 Aug 2016 00:08:29 -0400
Subject: [PATCH 11/43] rider commit: (bug fix) fix command works normally even
 if only a sudo version of the fix is specified in the Hjson

---
 app.py | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/app.py b/app.py
index bfd6a73..83d1f04 100644
--- a/app.py
+++ b/app.py
@@ -386,7 +386,14 @@ def _try_fix(config_check, use_sudo=False):
     dprint("Command executed: '%s'" % str(command))
 
 def do_fix_and_test(config_check):
-    """Attempt to fix misconfiguration w/ and w/o sudo privs, returning result.
+    """Attempt to fix misconfiguration, returning the result.
+
+    If a non-sudo fix is specified, this will be attempted first.
+    If a non-sudo fix fails or there is none specified and a sudo fix is
+    specified, this will be attempted next.
+    If all previous attempts have failed or none have been specified and
+    instructions for manually fixing the configuration have been specified,
+    these will be printed out at the end of execution by another function.
 
     Args:
         config_check (`ConfigCheck`): The check to perform.
@@ -394,12 +401,16 @@ def do_fix_and_test(config_check):
     Returns:
         bool: Whether an attempted fix was successful.
     """
-    _try_fix(config_check, use_sudo=False)
-    if run_check(config_check, last_attempt=False, quiet_fail=True):
-        return True
-    else:
+    if config_check.fix is not None:
+        _try_fix(config_check, use_sudo=False)
+        if run_check(config_check, last_attempt=False, quiet_fail=True):
+            return True
+
+    if config_check.sudo_fix is not None:
         _try_fix(config_check, use_sudo=True)
         return run_check(config_check, last_attempt=True, quiet_fail=False)
+    else:
+        return False
 
 def main():
     """Main function."""
@@ -430,9 +441,14 @@ def main():
                     elif config_check.confidence == Confidence.experimental:
                         prompt_default = const.FIX_EXPERIMENTAL_BY_DEFAULT
                         descriptor = const.EXPERIMENTAL_STR + ' '
+
+                    next_fix_command = config_check.fix
+                    if next_fix_command is None:
+                        next_fix_command = config_check.sudo_fix
+
                     question = (("\tApply the following %s fix? This will "
                                  "execute  this command:\n\t\t'%s'") %
-                                (descriptor, config_check.fix))
+                                (descriptor, next_fix_command))
                     if prompt.query_yes_no(question=question,
                                            default=_bool_to_yes_no(prompt_default)):
                         fixed = do_fix_and_test(config_check)

From 101bcbc689634b4dd82220f829c5c13f144e0f8a Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Sun, 28 Aug 2016 00:14:03 -0400
Subject: [PATCH 12/43] add latest homebrew installer script w/ user
 interaction removed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Perhaps controversial, but I’ve included the latest homebrew install
script from https://github.com/Homebrew/install/blob/master/install

I’m including a local copy because I want to make sure it’s a
known-good version.

I’ve also removed from the script the “Press Enter” functionality since
it is redundant and can’t be easily achieved in this tool’s current
architecture.

I can occasionally update this local copy if there are important
changes upstream.
---
 ...97c44441b06dd4e1fc87f131ee9f319d77fcd50.rb | 280 ++++++++++++++++++
 1 file changed, 280 insertions(+)
 create mode 100644 scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb

diff --git a/scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb b/scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb
new file mode 100644
index 0000000..982f310
--- /dev/null
+++ b/scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb
@@ -0,0 +1,280 @@
+#!/System/Library/Frameworks/Ruby.framework/Versions/Current/usr/bin/ruby
+# This script installs to /usr/local only. To install elsewhere you can just
+# untar https://github.com/Homebrew/brew/tarball/master anywhere you like or
+# change the value of HOMEBREW_PREFIX.
+HOMEBREW_PREFIX = "/usr/local".freeze
+HOMEBREW_CACHE = "#{ENV["HOME"]}/Library/Caches/Homebrew".freeze
+BREW_REPO = "https://github.com/Homebrew/brew".freeze
+CORE_TAP_REPO = "https://github.com/Homebrew/homebrew-core".freeze
+
+# no analytics during installation
+ENV["HOMEBREW_NO_ANALYTICS_THIS_RUN"] = "1"
+
+module Tty extend self
+  def blue; bold 34; end
+  def white; bold 39; end
+  def red; underline 31; end
+  def reset; escape 0; end
+  def bold n; escape "1;#{n}" end
+  def underline n; escape "4;#{n}" end
+  def escape n; "\033[#{n}m" if STDOUT.tty? end
+end
+
+class Array
+  def shell_s
+    cp = dup
+    first = cp.shift
+    cp.map{ |arg| arg.gsub " ", "\\ " }.unshift(first) * " "
+  end
+end
+
+def ohai *args
+  puts "#{Tty.blue}==>#{Tty.white} #{args.shell_s}#{Tty.reset}"
+end
+
+def warn warning
+  puts "#{Tty.red}Warning#{Tty.reset}: #{warning.chomp}"
+end
+
+def system *args
+  abort "Failed during: #{args.shell_s}" unless Kernel.system(*args)
+end
+
+def sudo *args
+  ohai "/usr/bin/sudo", *args
+  system "/usr/bin/sudo", *args
+end
+
+def getc  # NOTE only tested on OS X
+  system "/bin/stty raw -echo"
+  if STDIN.respond_to?(:getbyte)
+    STDIN.getbyte
+  else
+    STDIN.getc
+  end
+ensure
+  system "/bin/stty -raw echo"
+end
+
+class Version
+  include Comparable
+  attr_reader :parts
+
+  def initialize(str)
+    @parts = str.split(".").map { |i| i.to_i }
+  end
+
+  def <=>(other)
+    parts <=> self.class.new(other).parts
+  end
+end
+
+def macos_version
+  @macos_version ||= Version.new(`/usr/bin/sw_vers -productVersion`.chomp[/10\.\d+/])
+end
+
+def should_install_command_line_tools?
+  return false if macos_version < "10.9"
+  developer_dir = `/usr/bin/xcode-select -print-path 2>/dev/null`.chomp
+  developer_dir.empty? || !File.exist?("#{developer_dir}/usr/bin/git")
+end
+
+def git
+  @git ||= if ENV['GIT'] and File.executable? ENV['GIT']
+    ENV['GIT']
+  elsif Kernel.system '/usr/bin/which -s git'
+    'git'
+  else
+    exe = `xcrun -find git 2>/dev/null`.chomp
+    exe if $? && $?.success? && !exe.empty? && File.executable?(exe)
+  end
+
+  return unless @git
+  # Github only supports HTTPS fetches on 1.7.10 or later:
+  # https://help.github.com/articles/https-cloning-errors
+  `#{@git} --version` =~ /git version (\d\.\d+\.\d+)/
+  return if $1.nil? or Version.new($1) < "1.7.10"
+
+  @git
+end
+
+def chmod?(d)
+  File.directory?(d) && !(File.readable?(d) && File.writable?(d) && File.executable?(d))
+end
+
+def chown?(d)
+  !File.owned?(d)
+end
+
+def chgrp?(d)
+  !File.grpowned?(d)
+end
+
+# Invalidate sudo timestamp before exiting
+at_exit { Kernel.system "/usr/bin/sudo", "-k" }
+
+# The block form of Dir.chdir fails later if Dir.CWD doesn't exist which I
+# guess is fair enough. Also sudo prints a warning message for no good reason
+Dir.chdir "/usr"
+
+####################################################################### script
+abort "See Linuxbrew: http://linuxbrew.sh/" if /linux/i === RUBY_PLATFORM
+abort "MacOS too old, see: https://github.com/mistydemeo/tigerbrew" if macos_version < "10.6"
+abort "Don't run this as root!" if Process.uid == 0
+abort <<-EOABORT unless `dsmemberutil checkmembership -U "#{ENV['USER']}" -G admin`.include? "user is a member"
+This script requires the user #{ENV['USER']} to be an Administrator. If this
+sucks for you then you can install Homebrew in your home directory or however
+you please; please refer to our homepage. If you still want to use this script
+set your user to be an Administrator in System Preferences or `su' to a
+non-root user with Administrator privileges.
+EOABORT
+contents = Dir.glob(HOMEBREW_PREFIX+"*/{*,.git*}").join(" ").gsub!(%r{#{HOMEBREW_PREFIX}/}, "")
+abort <<-EOABORT unless Dir["#{HOMEBREW_PREFIX}/.git/*"].empty?
+It appears Homebrew is already installed. If your intent is to reinstall you
+should do the following before running this installer again:
+    ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/uninstall)"
+The current contents of #{HOMEBREW_PREFIX} are #{contents}
+EOABORT
+# Tests will fail if the prefix exists, but we don't have execution
+# permissions. Abort in this case.
+abort <<-EOABORT if File.directory? HOMEBREW_PREFIX and not File.executable? HOMEBREW_PREFIX
+The Homebrew prefix, #{HOMEBREW_PREFIX}, exists but is not searchable. If this is
+not intentional, please restore the default permissions and try running the
+installer again:
+    sudo chmod 775 #{HOMEBREW_PREFIX}
+EOABORT
+
+ohai "This script will install:"
+puts "#{HOMEBREW_PREFIX}/bin/brew"
+puts "#{HOMEBREW_PREFIX}/Library/..."
+puts "#{HOMEBREW_PREFIX}/share/doc/homebrew"
+puts "#{HOMEBREW_PREFIX}/share/man/man1/brew.1"
+puts "#{HOMEBREW_PREFIX}/share/zsh/site-functions/_brew"
+puts "#{HOMEBREW_PREFIX}/etc/bash_completion.d/brew"
+
+chmods = %w( . bin etc etc/bash_completion.d include lib lib/pkgconfig Library sbin share var var/log share/locale share/man
+             share/man/man1 share/man/man2 share/man/man3 share/man/man4
+             share/man/man5 share/man/man6 share/man/man7 share/man/man8
+             share/info share/doc share/aclocal share/zsh share/zsh/site-functions ).
+             map { |d| File.join(HOMEBREW_PREFIX, d) }.select { |d| chmod?(d) }
+chowns = chmods.select { |d| chown?(d) }
+chgrps = chmods.select { |d| chgrp?(d) }
+
+unless chmods.empty?
+  ohai "The following directories will be made group writable:"
+  puts(*chmods)
+end
+unless chowns.empty?
+  ohai "The following directories will have their owner set to #{Tty.underline 39}#{ENV['USER']}#{Tty.reset}:"
+  puts(*chowns)
+end
+unless chgrps.empty?
+  ohai "The following directories will have their group set to #{Tty.underline 39}admin#{Tty.reset}:"
+  puts(*chgrps)
+end
+
+if File.directory? HOMEBREW_PREFIX
+  sudo "/bin/chmod", "g+rwx", *chmods unless chmods.empty?
+  sudo "/usr/sbin/chown", ENV['USER'], *chowns unless chowns.empty?
+  sudo "/usr/bin/chgrp", "admin", *chgrps unless chgrps.empty?
+else
+  sudo "/bin/mkdir", "-p", HOMEBREW_PREFIX
+  sudo "/bin/chmod", "g+rwx", HOMEBREW_PREFIX
+  # the group is set to wheel by default for some reason
+  sudo "/usr/sbin/chown", "#{ENV['USER']}:admin", HOMEBREW_PREFIX
+end
+
+sudo "/bin/mkdir", "-p", HOMEBREW_CACHE unless File.directory? HOMEBREW_CACHE
+sudo "/bin/chmod", "g+rwx", HOMEBREW_CACHE if chmod? HOMEBREW_CACHE
+sudo "/usr/sbin/chown", ENV['USER'], HOMEBREW_CACHE if chown? HOMEBREW_CACHE
+sudo "/usr/bin/chgrp", "admin", HOMEBREW_CACHE if chgrp? HOMEBREW_CACHE
+
+if should_install_command_line_tools?
+  ohai "Searching online for the Command Line Tools"
+  # This temporary file prompts the 'softwareupdate' utility to list the Command Line Tools
+  clt_placeholder = "/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress"
+  sudo "/usr/bin/touch", clt_placeholder
+  clt_label = `softwareupdate -l | grep -B 1 -E "Command Line (Developer|Tools)" | awk -F"*" '/^ +\\*/ {print $2}' | sed 's/^ *//' | head -n1`.chomp
+  ohai "Installing #{clt_label}"
+  sudo "/usr/sbin/softwareupdate", "-i", clt_label
+  sudo "/bin/rm", "-f", clt_placeholder
+  sudo "/usr/bin/xcode-select", "--switch", "/Library/Developer/CommandLineTools"
+end
+
+# Headless install may have failed, so fallback to original 'xcode-select' method
+if should_install_command_line_tools?
+  if STDIN.tty?
+    ohai "Installing the Command Line Tools (expect a GUI popup):"
+    sudo "/usr/bin/xcode-select", "--install"
+    puts "Press any key when the installation has completed."
+    getc
+    sudo "/usr/bin/xcode-select", "--switch", "/Library/Developer/CommandLineTools"
+  else
+    abort "Error: Cannot proceed with manual Command Line Tools install without user input!"
+  end
+end
+
+abort <<-EOABORT if `/usr/bin/xcrun clang 2>&1` =~ /license/ && !$?.success?
+You have not agreed to the Xcode license.
+Before running the installer again please agree to the license by opening
+Xcode.app or running:
+    sudo xcodebuild -license
+EOABORT
+
+ohai "Downloading and installing Homebrew..."
+Dir.chdir HOMEBREW_PREFIX do
+  if git
+    # we do it in four steps to avoid merge errors when reinstalling
+    system git, "init", "-q"
+
+    # "git remote add" will fail if the remote is defined in the global config
+    system git, "config", "remote.origin.url", BREW_REPO
+    system git, "config", "remote.origin.fetch", "+refs/heads/*:refs/remotes/origin/*"
+
+    # ensure we don't munge line endings on checkout
+    system git, "config", "core.autocrlf", "false"
+
+    args = git, "fetch", "origin", "master:refs/remotes/origin/master", "-n"
+    args << "--depth=1" unless ARGV.include?("--full") || !ENV["HOMEBREW_DEVELOPER"].nil?
+    system(*args)
+
+    system git, "reset", "--hard", "origin/master"
+
+    system "#{HOMEBREW_PREFIX}/bin/brew", "tap", "homebrew/core"
+  else
+    # -m to stop tar erroring out if it can't modify the mtime for root owned directories
+    # pipefail to cause the exit status from curl to propagate if it fails
+    curl_flags = "fsSL"
+    core_tap = "#{HOMEBREW_PREFIX}/Library/Taps/homebrew/homebrew-core"
+    system "/bin/bash -o pipefail -c '/usr/bin/curl -#{curl_flags} #{BREW_REPO}/tarball/master | /usr/bin/tar xz -m --strip 1'"
+
+    system "/bin/mkdir", "-p", core_tap
+    Dir.chdir core_tap do
+      system "/bin/bash -o pipefail -c '/usr/bin/curl -#{curl_flags} #{CORE_TAP_REPO}/tarball/master | /usr/bin/tar xz -m --strip 1'"
+    end
+  end
+end
+
+warn "#{HOMEBREW_PREFIX}/bin is not in your PATH." unless ENV['PATH'].split(':').include? "#{HOMEBREW_PREFIX}/bin"
+
+ohai "Installation successful!"
+ohai "Next steps"
+
+if macos_version < "10.9" and macos_version > "10.6"
+  `/usr/bin/cc --version 2> /dev/null` =~ %r[clang-(\d{2,})]
+  version = $1.to_i
+  puts "Install the #{Tty.white}Command Line Tools for Xcode#{Tty.reset}: https://developer.apple.com/downloads" if version < 425
+else
+  puts "Install #{Tty.white}Xcode#{Tty.reset}: https://developer.apple.com/xcode" unless File.exist? "/usr/bin/cc"
+end
+
+puts "Run `brew help` to get started"
+puts "Further documentation: https://git.io/brew-docs"
+ohai "Homebrew has enabled anonymous aggregate user behaviour analytics"
+puts "Read the analytics documentation (and how to opt-out) here:"
+puts "  https://git.io/brew-analytics"
+if git
+  Dir.chdir HOMEBREW_PREFIX do
+    system git, "config", "--local", "--replace-all", "homebrew.analyticsmessage", "true"
+  end
+end

From afa632acef586564f97d2aba68545a9719485279 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Sun, 28 Aug 2016 00:15:07 -0400
Subject: [PATCH 13/43] Add homebrew as required configuration

Homebrew is extremely useful for semi-securely installing and updating
tools.
---
 osx-config.hjson | 21 +++++++++++++++++++++
 osx-config.json  |  2 +-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 2da4f17..8905a59 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -33,6 +33,27 @@
     * back-slashes '\' must be escaped with a double black-slash, i.e. '\\'
 */
 [
+    {
+        //Install Homebrew as a useful tool for semi-securely install or updating other tools
+        description: "Homebrew is installed."
+        confidence: "required"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    echo $(homebrew_is_installed)
+                command_pass: "1"
+                command_fail: "0"
+                case_sensitive: "false"
+            }
+        ]
+        fix:
+        {
+            //This homebrew script requries sudo privs and so the user of this tool should be alerted as to why she is being prompted for a password
+            sudo_command: "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb"
+        }
+    }
     /* --- BEGIN SYSTEM SETTINGS --- */
     {
         //Check if the System Preferences app is closed -- otherwise, it may override changes this app makes.
diff --git a/osx-config.json b/osx-config.json
index afac3e1..1d32769 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; exit 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; exit 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file

From 67cf7a21bd0d6d7955616b143714219f3e6249e7 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Sun, 28 Aug 2016 23:16:15 -0400
Subject: [PATCH 14/43] Add manual instructions for failed Homebrew install

---
 osx-config.hjson | 7 +++++++
 osx-config.json  | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 8905a59..d592451 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -52,6 +52,13 @@
         {
             //This homebrew script requries sudo privs and so the user of this tool should be alerted as to why she is being prompted for a password
             sudo_command: "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb"
+            manual:
+                '''
+                Homebrew is a useful tool for installing and updating programs from the command line.
+                There are various things that can go wrong when attempting to install Homebrew.
+                Please review their installation guide here:
+                https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md
+                '''
         }
     }
     /* --- BEGIN SYSTEM SETTINGS --- */
diff --git a/osx-config.json b/osx-config.json
index 1d32769..9637778 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; exit 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; exit 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file

From 8ee91349a43b38f7f07e5397c1e63fd777c0d479 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 13:14:49 -0400
Subject: [PATCH 15/43] Added config check for whether `/usr/local/bin` is
 preferred in `PATH`

This will help fix various problems related to the tools that ship with
OS X in `/usr/bin/`

QA: Verified that it works properly including manual instructions.
---
 osx-config.hjson                   | 33 ++++++++++++++++++++++++++++++
 osx-config.json                    |  2 +-
 scripts/check_usr_local_bin_pos.sh | 13 ++++++++++++
 3 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 scripts/check_usr_local_bin_pos.sh

diff --git a/osx-config.hjson b/osx-config.hjson
index 623ed3b..3ae0fa5 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -33,6 +33,7 @@
     * back-slashes '\' must be escaped with a double black-slash, i.e. '\\'
 */
 [
+    /* --- BEGIN HOMEBREW SETTINGS --- */
     {
         //Install Homebrew as a useful tool for semi-securely install or updating other tools
         description: "Homebrew is installed."
@@ -61,6 +62,38 @@
                 '''
         }
     }
+    {
+        //Tools installed by Homebrew should be preferred according to the PATH
+        //environment variable.
+        "description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)"
+        confidence: "required"
+        tests:
+        [
+            {
+                type: "exact match"
+                command: "bash ./scripts/check_usr_local_bin_pos.sh"
+                command_pass: 1
+                command_fail: 0
+                case_sensitive: false
+            }
+        ]
+        fix:
+        {
+            //Only "fix" this PATH preference if we haven't already applied the
+            //fix to the ~/.profile file. Otherwise, the user will need to
+            //restart Terminal in order for this take effect.
+            command:
+                TEST=$(grep "PATH=/usr/local/bin" ~/.profile) ; if [ ! -n "$TEST" ] ; then echo export PATH="/usr/local/bin:$PATH" >> ~/.profile ; fi
+            manual:
+                '''
+                1. Bring the Terminal application to the foreground if it is not already. You should see the word "Terminal" in the top left corner of your screen.
+                2. Select Terminal->Quit
+                3. Re-open the Terminal application and run the tool again; this check should now pass.
+                '''
+        }
+    }
+    /* ---- END HOMEBREW SETTINGS ---- */
+
     /* --- BEGIN SYSTEM SETTINGS --- */
     {
         //Check if the System Preferences app is closed -- otherwise, it may override changes this app makes.
diff --git a/osx-config.json b/osx-config.json
index 592ed39..e10dc4c 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "TEST=$(grep \"PATH=/usr/local/bin\" ~/.profile) ; if [ ! -n \"$TEST\" ] ; then echo export PATH=\"/usr/local/bin:$PATH\" >> ~/.profile ; fi", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
diff --git a/scripts/check_usr_local_bin_pos.sh b/scripts/check_usr_local_bin_pos.sh
new file mode 100644
index 0000000..260323e
--- /dev/null
+++ b/scripts/check_usr_local_bin_pos.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# Description: Checks the position of /usr/local/bin relative to /usr/bin/ in
+# the $PATH environment variable. If /usr/bin/local is first, this will echo
+# the value "1", otherwise it will echo "0"
+
+UB_POS=$(echo $PATH | awk '{print index($1, "/usr/bin")}')
+ULB_POS=$(echo $PATH | awk '{print index($1, "/usr/local/bin")}')
+
+if [ "$ULB_POS" -eq "0" ] || [ "$ULB_POS" -gt "$UB_POS" ] ; then
+    echo 0
+else
+    echo 1
+fi

From 51368552fff602cf1a4081c223466e7263714a43 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 13:21:26 -0400
Subject: [PATCH 16/43] update expected curl via home-brew to 7.50.1

this satisfies
https://github.com/kristovatlas/osx-config-check/issues/114
---
 osx-config.hjson | 2 +-
 osx-config.json  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 3ae0fa5..d54a907 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -991,7 +991,7 @@
             {
                 type: "regex match"
                 command: "curl --version"
-                command_pass: ".*(command not found|7\\.48\\.0).*"
+                command_pass: ".*(command not found|7\\.50\\.1).*"
                 case_sensitive: "false"
             }
         ]
diff --git a/osx-config.json b/osx-config.json
index e10dc4c..aaea1f7 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "TEST=$(grep \"PATH=/usr/local/bin\" ~/.profile) ; if [ ! -n \"$TEST\" ] ; then echo export PATH=\"/usr/local/bin:$PATH\" >> ~/.profile ; fi", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.48\\.0).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "TEST=$(grep \"PATH=/usr/local/bin\" ~/.profile) ; if [ ! -n \"$TEST\" ] ; then echo export PATH=\"/usr/local/bin:$PATH\" >> ~/.profile ; fi", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file

From 1c657693eac151d27aaaf457c76a196536badea1 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 13:29:18 -0400
Subject: [PATCH 17/43] version number of tool is written to stdout and log
 file

satisfies https://github.com/kristovatlas/osx-config-check/issues/112
---
 app.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/app.py b/app.py
index 83d1f04..816c04b 100644
--- a/app.py
+++ b/app.py
@@ -21,6 +21,8 @@
 const.FIX_RECOMMENDED_BY_DEFAULT = True #TODO: command line flag
 const.FIX_EXPERIMENTAL_BY_DEFAULT = False #TODO: command line flag
 
+const.VERSION = "v0.0.0-alpha (rattata)"
+
 const.API_FILENAME = './scripts/api.sh'
 
 const.COLORS = {
@@ -473,6 +475,7 @@ def main():
         glob_check_num += 1
 
     if const.WRITE_TO_LOG_FILE:
+        log_to_file("osx-config %s" % const.VERSION)
         print("Wrote results to %s'%s'%s." %
               (const.COLORS['BOLD'], const.LOG_FILE_LOC, const.COLORS['ENDC']))
 
@@ -519,7 +522,7 @@ def is_match(regex, string, ignore_case=False):
 def _print_banner():
     banner = (("---------------------------------------------------------------"
                "---------------------------\n"
-               "%s%sosx-config-check%s\n"
+               "%s%sosx-config-check%s %s\n"
                "Download the latest copy of this tool at: "
                "https://github.com/kristovatlas/osx-config-check \n"
                "Report bugs/issues:\n"
@@ -529,7 +532,7 @@ def _print_banner():
                "---------------------------------------------------------------"
                "---------------------------\n") %
               (const.COLORS['BOLD'], const.COLORS['OKBLUE'],
-               const.COLORS['ENDC']))
+               const.COLORS['ENDC'], const.VERSION))
     print _underline_hyperlink(banner)
 
 if __name__ == "__main__":

From 747d7c570223dd2fd5a05423a2e150732e21e571 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 17:42:51 -0400
Subject: [PATCH 18/43] rider commit: improve debug output for app.py

---
 app.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app.py b/app.py
index 816c04b..ccdb624 100644
--- a/app.py
+++ b/app.py
@@ -381,11 +381,15 @@ def _try_fix(config_check, use_sudo=False):
         print(("\tAttempting configuration fix with elevated privileges; %syou "
                "may be prompted for your OS X login password%s...") %
               (const.COLORS['BOLD'], const.COLORS['ENDC']))
+    stdoutdata = ""
+    stderrdata = ""
     if command is not None:
         process = Popen(command, stdout=PIPE, stderr=STDOUT, shell=True)
-        process.communicate()
+        stdoutdata, stderrdata = process.communicate()
 
     dprint("Command executed: '%s'" % str(command))
+    dprint("Command STDOUT: '%s'" % str(stdoutdata))
+    dprint("Command STDERR: '%s'" % str(stderrdata))
 
 def do_fix_and_test(config_check):
     """Attempt to fix misconfiguration, returning the result.

From 1b8d651b122f151c7846f6c8de24570e56398fc8 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 17:45:09 -0400
Subject: [PATCH 19/43] Correct OpenSSL config fix by manipulating PATH env var
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This partially satisfies the problem referenced in #73 by manipulating
$PATH instead of attempting to move apple’s binaries.

QA: Config fixes broken system as expected and doesn’t write to
.profile multiple times.
---
 osx-config.hjson                   | 10 +++--
 osx-config.json                    |  2 +-
 scripts/set_openssl_latest_path.sh | 16 +++++++
 scripts/set_path_precedence.py     | 69 ++++++++++++++++++++++++++++++
 4 files changed, 93 insertions(+), 4 deletions(-)
 create mode 100644 scripts/set_openssl_latest_path.sh
 create mode 100644 scripts/set_path_precedence.py

diff --git a/osx-config.hjson b/osx-config.hjson
index d54a907..cf08060 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -446,10 +446,14 @@
         ]
         fix:
         {
-            command: "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple"
-            sudo_command: "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"
+            command: "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh"
+            manual:
+                '''
+                1. Bring the Terminal application to the foreground if it is not already. You should see the word "Terminal" in the top left corner of your screen.
+                2. Select Terminal->Quit
+                3. Re-open the Terminal application and run the tool again; this check should now pass.
+                '''
         }
-        undo: "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"
     },
     {
         description: "Hidden files are displayed in Finder."
diff --git a/osx-config.json b/osx-config.json
index aaea1f7..b5ef76b 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "TEST=$(grep \"PATH=/usr/local/bin\" ~/.profile) ; if [ ! -n \"$TEST\" ] ; then echo export PATH=\"/usr/local/bin:$PATH\" >> ~/.profile ; fi", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; mv /usr/bin/openssl /usr/bin/openssl-apple", "sudo_command": "brew update ; brew install openssl ; brew upgrade openssl ; brew link openssl --force ; sudo mv /usr/bin/openssl /usr/bin/openssl-apple"}, "undo": "sudo mv /usr/bin/openssl-apple /usr/bin/openssl ; brew unlink openssl"}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "TEST=$(grep \"PATH=/usr/local/bin\" ~/.profile) ; if [ ! -n \"$TEST\" ] ; then echo export PATH=\"/usr/local/bin:$PATH\" >> ~/.profile ; fi", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
diff --git a/scripts/set_openssl_latest_path.sh b/scripts/set_openssl_latest_path.sh
new file mode 100644
index 0000000..e147eec
--- /dev/null
+++ b/scripts/set_openssl_latest_path.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# Description: Sets the position of the most recent version of openssl in the
+# PATH environment variable
+
+# set working directory to the one containing this script so it can find other
+# scripts.
+cd "$(dirname "$0")"
+
+OPENSSL_LATEST_PATH=$(find /usr/local/Cellar/openssl -name "bin" -maxdepth 2 -type d | sort -nr | head -n 1)
+
+if [ -n "$OPENSSL_LATEST_PATH" ] ; then
+    echo "Attempting to fix..."
+    python ./set_path_precedence.py "$OPENSSL_LATEST_PATH" "/usr/bin"
+else
+    echo "Could not find Homebrew installation of OpenSSL."
+fi
diff --git a/scripts/set_path_precedence.py b/scripts/set_path_precedence.py
new file mode 100644
index 0000000..6ff5578
--- /dev/null
+++ b/scripts/set_path_precedence.py
@@ -0,0 +1,69 @@
+"""Enforces a specific order for two directories in the PATH environment var.
+
+This is enforced by modifying the bash profile file stored at ~/.profile
+"""
+
+import sys
+import re
+import os
+
+ENABLE_DEBUG_PRINT = False
+PROFILE_FILENAME =  os.path.expanduser('~/.profile')
+
+class BrokenOrderError(Exception):
+    """There's something wrong with the order of commands in .profile """
+    pass
+
+def _main():
+    assert len(sys.argv) == 3
+    dir_1 = str(sys.argv[1])
+    dir_2 = str(sys.argv[2])
+
+    dprint("%s %s" % (dir_1, dir_2))
+
+    if _is_path_good(dir_1, dir_2):
+        dprint("Path was good")
+        return
+
+    #scan profile to ensure PATH is not already set to desired value
+    profile = []
+    with open(PROFILE_FILENAME, 'r') as profile_read:
+        profile = profile_read.readlines()
+
+    found_intended_path = False
+
+    for line in profile:
+        #ignore commented out lines
+        if re.search(line, r'^\s*#.*$') is not None:
+            continue
+
+        if _is_path_set_in_line(line, dir_1):
+            dprint("Found line that sets intended path: %s" % line)
+            found_intended_path = True
+
+        if found_intended_path and _is_path_set_in_line(line, dir_2):
+            #a later export declaration has overriden what we wanted, panic D-:
+            raise BrokenOrderError
+
+    if not found_intended_path:
+        new_path_entry = "\nexport PATH=%s:$PATH\n" % dir_1
+        with open(PROFILE_FILENAME, 'a') as profile_append:
+            profile_append.write(new_path_entry)
+
+def _is_path_good(dir_1, dir_2):
+    return _is_match(os.environ['PATH'], r'.*%s.*%s.*' % (dir_1, dir_2))
+
+def _is_match(string, pattern):
+    return re.compile(pattern).search(string) is not None
+
+def _is_path_set_in_line(line, dir_1):
+    passing_path_entry = r'^.*PATH=%s.*$' % dir_1
+    return _is_match(line, passing_path_entry)
+
+def dprint(data):
+    """Print debug data, if enabled."""
+    if ENABLE_DEBUG_PRINT:
+        print "DEBUG: %s" % data
+
+if __name__ == '__main__':
+    _main()

From d89378b9ad4a414f16def03856010459ef8e996b Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 17:47:37 -0400
Subject: [PATCH 20/43] rider commit: update expected git version to 2.9.3

---
 osx-config.hjson | 2 +-
 osx-config.json  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index cf08060..61e58fa 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -933,7 +933,7 @@
             {
                 type: "regex match"
                 command: "git --version"
-                command_pass: ".*(command not found|2\\.8\\.2).*"
+                command_pass: ".*(command not found|2\\.9\\.3).*"
                 case_sensitive: "false"
             }
         ]
diff --git a/osx-config.json b/osx-config.json
index b5ef76b..0c126bf 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "TEST=$(grep \"PATH=/usr/local/bin\" ~/.profile) ; if [ ! -n \"$TEST\" ] ; then echo export PATH=\"/usr/local/bin:$PATH\" >> ~/.profile ; fi", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.8\\.2).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "TEST=$(grep \"PATH=/usr/local/bin\" ~/.profile) ; if [ ! -n \"$TEST\" ] ; then echo export PATH=\"/usr/local/bin:$PATH\" >> ~/.profile ; fi", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file

From 51db1f09e7f21b9f6c47fff5790d89383f1cb4f5 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 17:57:24 -0400
Subject: [PATCH 21/43] Use set_path_precedence.py for general PATH fix and
 correct fix for git

---
 osx-config.hjson | 16 ++++++++++++----
 osx-config.json  |  2 +-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 61e58fa..379516e 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -83,7 +83,7 @@
             //fix to the ~/.profile file. Otherwise, the user will need to
             //restart Terminal in order for this take effect.
             command:
-                TEST=$(grep "PATH=/usr/local/bin" ~/.profile) ; if [ ! -n "$TEST" ] ; then echo export PATH="/usr/local/bin:$PATH" >> ~/.profile ; fi
+                python ./scripts/set_path_precedence.py "/usr/local/bin" "/usr/bin"
             manual:
                 '''
                 1. Bring the Terminal application to the foreground if it is not already. You should see the word "Terminal" in the top left corner of your screen.
@@ -939,9 +939,17 @@
         ]
         fix:
         {
-            //This will make sure latest git is installed via homebrew and make make apple's version of git non-competitive
-            command: "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple"
-            sudo_command: "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"
+            //Only "fix" this PATH preference if we haven't already applied the
+            //fix to the ~/.profile file. Otherwise, the user will need to
+            //restart Terminal in order for this take effect.
+            command:
+                brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py "/usr/local/bin" "/usr/bin"
+            manual:
+                '''
+                1. Bring the Terminal application to the foreground if it is not already. You should see the word "Terminal" in the top left corner of your screen.
+                2. Select Terminal->Quit
+                3. Re-open the Terminal application and run the tool again; this check should now pass.
+                '''
         }
     },
     {
diff --git a/osx-config.json b/osx-config.json
index 0c126bf..d3f91c9 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "TEST=$(grep \"PATH=/usr/local/bin\" ~/.profile) ; if [ ! -n \"$TEST\" ] ; then echo export PATH=\"/usr/local/bin:$PATH\" >> ~/.profile ; fi", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update && brew install git && brew upgrade git && mv /usr/bin/git /usr/bin/git-apple", "sudo_command": "brew update && brew install git && brew upgrade git && sudo mv /usr/bin/git /usr/bin/git-apple"}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file

From a9ef195401a47e5b5ed012226540f9124caa4462 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 17:58:26 -0400
Subject: [PATCH 22/43] replace unhelpful brew link with set_path_precedence.py
 for curl

---
 osx-config.hjson | 3 ++-
 osx-config.json  | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 379516e..5d264c4 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -1009,7 +1009,8 @@
         ]
         fix:
         {
-            command: "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"
+            command:
+                brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py "/usr/local/bin" "/usr/bin"
         }
         undo: "brew unlink curl"
     },
diff --git a/osx-config.json b/osx-config.json
index d3f91c9..1430c08 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; brew link curl --force"}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file

From ed8fadfc51ecc1988919ceeb5789cc2c68040096 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 19:11:26 -0400
Subject: [PATCH 23/43] checks the version of java installed if any, and
 attempts to upgrade via brew cask

satisfies https://github.com/kristovatlas/osx-config-check/issues/78
---
 osx-config.hjson | 33 +++++++++++++++++++++++++++++++++
 osx-config.json  |  2 +-
 scripts/api.sh   | 18 ++++++++++++++++++
 3 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 5d264c4..70e9354 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -94,6 +94,39 @@
     }
     /* ---- END HOMEBREW SETTINGS ---- */
 
+    {
+        //JRE is a scourge
+        description: "Java Runtime Environment is up to date."
+        confidence: recommended
+        tests:
+        [
+            {
+                //Pass test if `java` is not installed
+                type: "exact match"
+                command: java_is_installed
+                command_pass: 0
+                case_sensitive: false
+            }
+            {
+                //Past test if the latest version available via `brew cask install java` is installed
+                type: "exact match"
+                command: java -version 2>&1 >/dev/null | grep 'java version'
+                command_pass:
+                    java version "1.8.0_102"
+                case_sensitive: false
+            }
+        ]
+        fix:
+        {
+            manual:
+                '''
+                1. Your installation of Java is not up to date. You can either update it or remove it.
+                2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml
+                3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml
+                '''
+        }
+    }
+
     /* --- BEGIN SYSTEM SETTINGS --- */
     {
         //Check if the System Preferences app is closed -- otherwise, it may override changes this app makes.
diff --git a/osx-config.json b/osx-config.json
index 1430c08..e806363 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
diff --git a/scripts/api.sh b/scripts/api.sh
index f7225d6..f65c90e 100644
--- a/scripts/api.sh
+++ b/scripts/api.sh
@@ -33,3 +33,21 @@ function chrome_is_installed {
         echo 0
     fi
 }
+
+function java_is_installed {
+    #detects whether JRE/JDK is installed or osx's placeholder is sitting there,
+    #waiting to annoy us with pop-up windows if 'java' is invoked
+    JAVA_WHICH=$(which java)
+    LINK=$(readlink "$JAVA_WHICH")
+    if [ "$LINK" = "/System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/java" ] ; then
+        #fake java binary
+        echo 0
+    else
+        IS_JAVA=$(java -version 2>&1 >/dev/null | grep -c 'java version')
+        if [ "$IS_JAVA" = "1" ] ; then
+            echo 1
+        else
+            echo 0
+        fi
+    fi
+}

From 5bbcb02c371c9ed581781c1d55dfda000384c56e Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 20:42:06 -0400
Subject: [PATCH 24/43] Add various command line args
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added these command line flags:
```
Usage: python app.py [OPTIONS]
OPTIONS:
	--debug-print        Enables verbose output for debugging the tool.
	--report-only        Only reports on compliance and does not offer to
fix broken configurations.
	--disable-logs       Refrain from creating a log file with the results.
	--disable-prompt     Refrain from prompting user before applying fixes.
	--skip-sudo-checks   Do not perform checks that require sudo
privileges.
	--help -h            Print this usage information.
```

QA: all of the flags appear to do what they’re supposed to do. Invalid
flags raise an error as expected.
---
 README.md |  12 +++++
 app.py    | 142 +++++++++++++++++++++++++++++++++++++++++-------------
 2 files changed, 120 insertions(+), 34 deletions(-)

diff --git a/README.md b/README.md
index ddd444c..3d8e211 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,18 @@ python app.py
 
 This will take you through a series of interactive steps that checks your machine's configuration, and offers to fix mixconfigurations for you.
 
+Intermediate users and advanced users can also invoke various command-line arguments:
+```
+Usage: python app.py [OPTIONS]
+OPTIONS:
+	--debug-print        Enables verbose output for debugging the tool.
+	--report-only        Only reports on compliance and does not offer to fix broken configurations.
+	--disable-logs       Refrain from creating a log file with the results.
+	--disable-prompt     Refrain from prompting user before applying fixes.
+	--skip-sudo-checks   Do not perform checks that require sudo privileges.
+	--help -h            Print this usage information.
+```
+
 ## Sample Output
 
 ```bash
diff --git a/app.py b/app.py
index ccdb624..1fdbe76 100644
--- a/app.py
+++ b/app.py
@@ -1,6 +1,7 @@
 #!/usr/bin/env python
 """Checks the configuration of various osx options."""
 
+import sys
 import time
 import datetime
 from os.path import expanduser
@@ -11,11 +12,8 @@
 import const #const.py
 import prompt #prompt.py
 
-const.ENABLE_DEBUG_PRINT = False
 const.DEFAULT_OUTPUT_LOCATION = "~/Documents/"
-const.WRITE_TO_LOG_FILE = True #TODO: Allow user to pass command line arg
 const.DEFAULT_CONFIG_FILE = "osx-config.json"
-const.PROMPT_FOR_FIXES = True #TODO: allow user to pass command line arg
 const.WARN_FOR_RECOMMENDED = True #TODO: command line flag
 const.WARN_FOR_EXPERIMENTAL = True #TODO: command line flag
 const.FIX_RECOMMENDED_BY_DEFAULT = True #TODO: command line flag
@@ -39,6 +37,7 @@
 
 const.PASSED_STR = const.COLORS['OKGREEN'] + "PASSED!" + const.COLORS['ENDC']
 const.FAILED_STR = const.COLORS['FAIL'] + "FAILED!" + const.COLORS['ENDC']
+const.SKIPPED_STR = const.COLORS['OKBLUE'] + "SKIPPED!" + const.COLORS['ENDC']
 const.NO_SUDO_STR = ("%s%s%s" %
                      (const.COLORS['WARNING'],
                       ("Insufficient privileges to perform this check. "
@@ -221,42 +220,53 @@ def run_check(config_check, last_attempt=False, quiet_fail=False):
     passed = False
     for test in config_check.tests:
         #alert user if he might get prompted for admin privs due to sudo use
+        result_str = None
         if 'sudo ' in test['command']:
-            fancy_sudo_command = re.sub("sudo", const.SUDO_STR, test['command'])
-            print(("The next configuration check requires elevated privileges; "
-                   "%syou may be prompted for your current OS X user's "
-                   "password  below%s. The command to be executed is: '%s'") %
-                  (const.COLORS['BOLD'], const.COLORS['ENDC'],
-                   fancy_sudo_command))
-
-        command_pass = None
-        if 'command_pass' in test:
-            command_pass = str(test['command_pass'])
-        command_fail = None
-        if 'command_fail' in test:
-            command_fail = str(test['command_fail'])
-        result = _execute_check(command=test['command'],
-                                comparison_type=test['type'],
-                                case_sensitive=test['case_sensitive'],
-                                command_pass=command_pass,
-                                command_fail=command_fail)
-        if result == CheckResult.explicit_pass:
-            dprint("Test passed exlicitly for '%s'" % test['command'])
-            passed = True
-            break
-        elif result == CheckResult.explicit_fail:
-            dprint("Test failed exlicitly for '%s'" % test['command'])
-            break
-        elif result == CheckResult.no_pass:
-            dprint("Test did not pass for '%s'" % test['command'])
-            continue
-        else:
-            raise ValueError("Invalid return value from _execute_check.")
+            if const.NON_INTERACTIVE:
+                dprint("Skipping test because app is in non-interactive mode.")
+                passed = False
+                result_str = const.SKIPPED_STR
+            else:
+                fancy_sudo_command = re.sub(
+                    "sudo", const.SUDO_STR, test['command'])
+                print(("The next configuration check requires elevated "
+                       "privileges; %syou may be prompted for your current OS "
+                       "X user's password  below%s. The command to be executed "
+                       "is: '%s'") %
+                      (const.COLORS['BOLD'], const.COLORS['ENDC'],
+                       fancy_sudo_command))
+
+        if 'sudo ' not in test['command'] or not const.NON_INTERACTIVE:
+            command_pass = None
+            if 'command_pass' in test:
+                command_pass = str(test['command_pass'])
+            command_fail = None
+            if 'command_fail' in test:
+                command_fail = str(test['command_fail'])
+            result = _execute_check(command=test['command'],
+                                    comparison_type=test['type'],
+                                    case_sensitive=test['case_sensitive'],
+                                    command_pass=command_pass,
+                                    command_fail=command_fail)
+            if result == CheckResult.explicit_pass:
+                dprint("Test passed exlicitly for '%s'" % test['command'])
+                passed = True
+                break
+            elif result == CheckResult.explicit_fail:
+                dprint("Test failed exlicitly for '%s'" % test['command'])
+                break
+            elif result == CheckResult.no_pass:
+                dprint("Test did not pass for '%s'" % test['command'])
+                continue
+            else:
+                raise ValueError("Invalid return value from _execute_check.")
 
     if passed or not quiet_fail:
+        if result_str is None:
+            result_str = _get_result_str(passed)
         msg = ("\nCHECK #%d: %s... %s" % (glob_check_num,
                                           config_check.description,
-                                          _get_result_str(passed)))
+                                          result_str))
         print msg
         if const.WRITE_TO_LOG_FILE:
             log_to_file(msg)
@@ -422,6 +432,13 @@ def main():
     """Main function."""
     global glob_check_num
 
+    args = get_sys_args()
+    const.ENABLE_DEBUG_PRINT = args['debug-print']
+    const.WRITE_TO_LOG_FILE = args['write-to-log-file']
+    const.PROMPT_FOR_FIXES = not args['no-prompt']
+    const.ATTEMPT_FIXES = not args['report-only']
+    const.NON_INTERACTIVE = args['skip-sudo-checks']
+
     _print_banner()
 
     config_checks = read_config(const.DEFAULT_CONFIG_FILE)
@@ -429,6 +446,10 @@ def main():
     for config_check in config_checks:
         if not run_check(config_check):
             #config failed check
+            if not const.ATTEMPT_FIXES:
+                glob_check_num += 1
+                continue
+
             if config_check.fix is None and config_check.sudo_fix is None:
                 #no automatic fix available
                 if config_check.manual_fix is not None:
@@ -539,5 +560,58 @@ def _print_banner():
                const.COLORS['ENDC'], const.VERSION))
     print _underline_hyperlink(banner)
 
+def print_usage():
+    """Prints usage for this command-line tool and exits."""
+    print("Usage: python app.py [OPTIONS]\n"
+          "OPTIONS:\n"
+          "\t--debug-print        Enables verbose output for debugging the "
+          "tool.\n"
+          "\t--report-only        Only reports on compliance and does not "
+          "offer to fix broken configurations.\n"
+          "\t--disable-logs       Refrain from creating a log file with the "
+          "results.\n"
+          "\t--disable-prompt     Refrain from prompting user before applying "
+          "fixes.\n"
+          "\t--skip-sudo-checks   Do not perform checks that require sudo "
+          "privileges.\n"
+          "\t--help -h            Print this usage information.\n")
+    sys.exit()
+
+def get_sys_args():
+    """Parses command line args, setting defaults where not specified.
+
+    Returns: dict:
+        * debug-print (bool)
+        * report-only (bool)
+        * write-to-log-file (bool)
+        * no-prompt (bool)
+        * skip-sudo-checks (bool)
+    """
+    args = {'debug-print': False,
+            'report-only': False,
+            'write-to-log-file': True,
+            'no-prompt': False,
+            'skip-sudo-checks': False}
+    unprocessed_args = sys.argv[1:]
+    while len(unprocessed_args) > 0:
+        flag = unprocessed_args.pop(0)
+        if flag == '--debug-print':
+            args['debug-print'] = True
+        elif flag == '--report-only':
+            args['report-only'] = True
+        elif flag == '--disable-logs':
+            args['write-to-log-file'] = False
+        elif flag == '--disable-prompt':
+            args['no-prompt'] = True
+        elif flag == '--skip-sudo-checks':
+            args['skip-sudo-checks'] = True
+        elif flag == '-h' or flag == '--help':
+            print_usage()
+        else:
+            print "ERROR: Unrecognized option '%s'" % flag
+            print_usage()
+
+    return args
+
 if __name__ == "__main__":
     main()

From 10465aa95cce4311f0a1bab77e6029dddfcfd547 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 20:49:12 -0400
Subject: [PATCH 25/43] Updated manual instructions for homebrew analytics:
 just restart Terminal, don't logout

---
 osx-config.hjson | 7 +++++--
 osx-config.json  | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 70e9354..fbbce7c 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -349,10 +349,13 @@
         ]
         fix:
         {
-            //TODO: This fix works if you login/logout, but I haven't been able to get a fix working that doesn't require login/logout. The enironment variable is context dependent, and it's not clear how to set the variable in the parent-most environment without this action.
             command: "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile"
             manual:
-                1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!
+                '''
+                1. Bring the Terminal application to the foreground if it is not already. You should see the word "Terminal" in the top left corner of your screen.
+                2. Select Terminal->Quit
+                3. Re-open the Terminal application and run the tool again; this check should now pass.
+                '''
         }
     },
     {
diff --git a/osx-config.json b/osx-config.json
index e806363..1a09130 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. In order for the automatic fix to be applied, you must logout of the current user and log back in. Sorry for the inconvenience!"}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file

From fc6b47cd97a85a66c142c176f878f547934ea765 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 21:02:31 -0400
Subject: [PATCH 26/43] fixed typos

---
 README.md        | 2 +-
 osx-config.hjson | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 3d8e211..74c54c7 100644
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ Next run the app as follows:
 python app.py
 ```
 
-This will take you through a series of interactive steps that checks your machine's configuration, and offers to fix mixconfigurations for you.
+This will take you through a series of interactive steps that checks your machine's configuration, and offers to fix misconfigurations for you.
 
 Intermediate users and advanced users can also invoke various command-line arguments:
 ```
diff --git a/osx-config.hjson b/osx-config.hjson
index fbbce7c..3e1a548 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -857,7 +857,7 @@
         undo: "sudo systemsetup setusingnetworktime on"
     },
     {
-        //There are a number of attacks based on IPv6 use. For the sake of simplicity, it's best to disable it entirely unless it is requried. See: https://www.ernw.de/download/ERNW_Hardening_IPv6_MacOS-X_v1_0.pdf
+        //There are a number of attacks based on IPv6 use. For the sake of simplicity, it's best to disable it entirely unless it is required. See: https://www.ernw.de/download/ERNW_Hardening_IPv6_MacOS-X_v1_0.pdf
         description: "IPv6 is disabled on all network interfaces."
         confidence: "recommended"
         reference: "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml"

From 6bd22820ef981e998f8699c10ae51fbae55b6092 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Mon, 29 Aug 2016 22:09:34 -0400
Subject: [PATCH 27/43] Use script to fix DNS settings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This should hopefully accomplish these things:
* The user will no longer be prompted with annoying GUI pop-ups for
their admin credentials, once per network interface (via using sudo)
* Only try to write settings for the network interfaces not already
using Google DNS
* By using sudo, these settings should hopefully “stick” better between
logins.
---
 osx-config.hjson          |  2 +-
 osx-config.json           |  2 +-
 scripts/use_google_dns.sh | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 2 deletions(-)
 create mode 100644 scripts/use_google_dns.sh

diff --git a/osx-config.hjson b/osx-config.hjson
index 3e1a548..f59a6c8 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -1028,7 +1028,7 @@
         ]
         fix:
         {
-            command: "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"
+            sudo_command: sudo bash ./scripts/use_google_dns.sh
         }
     },
     {
diff --git a/osx-config.json b/osx-config.json
index 1a09130..927378d 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -setdnsservers '{}' 8.8.8.8 8.8.4.4"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
diff --git a/scripts/use_google_dns.sh b/scripts/use_google_dns.sh
new file mode 100644
index 0000000..e812069
--- /dev/null
+++ b/scripts/use_google_dns.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+# Description: Sets all network interfaces to use Google DNS servers, but only
+# for the network interfaces that are not compliant.
+
+function non_google_dns {
+    INTERFACE=$1
+    if [ "$INTERFACE" = "An asterisk (*) denotes that a network service is disabled." ]; then
+        echo 0
+    else
+        DNS=$(networksetup -getdnsservers "$INTERFACE" | tr -d "\n")
+        if [ "$DNS" != "8.8.8.88.8.4.4" ]; then
+            echo 1
+        else
+            echo 0
+        fi
+    fi
+}
+export -f non_google_dns
+
+function set_google_dns {
+    INTERFACE=$1
+    sudo networksetup -setdnsservers "$INTERFACE" 8.8.8.8 8.8.4.4
+}
+export -f set_google_dns
+
+
+function process {
+    INTERFACE=$1
+    IS_NON_GOOGLE_DNS=$(non_google_dns "$INTERFACE")
+    if [ "$IS_NON_GOOGLE_DNS" = "1" ]; then
+        set_google_dns "$INTERFACE"
+    fi
+}
+export -f process
+
+networksetup listallnetworkservices | xargs -I{} bash -c 'process "{}"'

From fbabe73ec9fe5011c4390b63562e50e3c3ab0f40 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Tue, 30 Aug 2016 11:27:58 -0400
Subject: [PATCH 28/43] add check for OSX/Keydnap

QA: works correctly when 0 or 1 of the files is detected
---
 osx-config.hjson | 71 ++++++++++++++++++++++++++++++++++++++++++++++++
 osx-config.json  |  2 +-
 2 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index f59a6c8..2b59d2e 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -2519,6 +2519,77 @@
 
     /* ----END GOOGLE CHROME SETTINGS---- */
 
+    /* --- BEGIN COMMON MALWARE DETECTION --- */
+
+    {
+        description: "OSX/Keydnap malware is not present."
+        confidence: "required"
+        reference: "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"
+        tests:
+        [
+            {
+                type: "exact match"
+                command:
+                    if [ -e "/Applications/Transmission.app/Contents/Resources/License.rtf" ] ; then echo 1 ; else echo 0 ; fi
+                command_fail: 1
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command:
+                    if [ -e "/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf" ] ; then echo 1 ; else echo 0 ; fi
+                command_fail: 1
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command:
+                    if [ -e "$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd" ] ; then echo 1 ; else echo 0 ; fi
+                command_fail: 1
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command:
+                    if [ -e "$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id" ] ; then echo 1 ; else echo 0 ; fi
+                command_fail: 1
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command:
+                    if [ -e "$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist" ] ; then echo 1 ; else echo 0 ; fi
+                command_fail: 1
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command:
+                    if [ -e "/Library/Application Support/com.apple.iCloud.sync.daemon/" ] ; then echo 1 ; else echo 0 ; fi
+                command_fail: 1
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command:
+                    if [ -e "/Library/Application Support/com.apple.iCloud.sync.daemon/" ] ; then echo 1 ; else echo 0 ; fi
+                command_pass: 0
+                command_fail: 1
+                case_sensitive: false
+            }
+        ]
+        fix:
+        {
+            manual:
+                '''
+                1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).
+                2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/
+                '''
+        }
+    }
+
+    /* ---- END COMMON MALWARE DETECTION ---- */
+
     /* useful for debugging `sudo_command`
     {
         description: "Can read /private/var/root"
diff --git a/osx-config.json b/osx-config.json
index 927378d..19751b4 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file

From bc97739d55aa67265f25c1de48e66186fae5a16e Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Tue, 30 Aug 2016 12:10:51 -0400
Subject: [PATCH 29/43] create exemption from OS X firewall for users of Little
 Snitch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Little Snitch users are presumed to be sufficiently competent to
administer it effectively.

QA: None, except that scripts aren’t broken by this
---
 osx-config.hjson | 14 ++++++++++++++
 osx-config.json  |  2 +-
 scripts/api.sh   |  9 +++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 2b59d2e..bb22c33 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -181,6 +181,13 @@
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
         tests:
         [
+            {
+                //Exempt users who are using Little Snitch
+                type: "exact match"
+                command: little_snitch_is_installed
+                command_pass: 1
+                case_sensitive: false
+            }
             {
                 type: "exact match"
                 command: "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate"
@@ -202,6 +209,13 @@
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
         tests:
         [
+            {
+                //Exempt users who are using Little Snitch
+                type: "exact match"
+                command: little_snitch_is_installed
+                command_pass: 1
+                case_sensitive: false
+            }
             {
                 type: "exact match"
                 command: "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate"
diff --git a/osx-config.json b/osx-config.json
index 19751b4..d4d4acb 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
diff --git a/scripts/api.sh b/scripts/api.sh
index f65c90e..f2c997b 100644
--- a/scripts/api.sh
+++ b/scripts/api.sh
@@ -51,3 +51,12 @@ function java_is_installed {
         fi
     fi
 }
+
+function little_snitch_is_installed {
+    RUNNING=$(pgrep "Little Snitch Daemon")
+    if [ -n "$RUNNING" ]; then
+        echo 1
+    else
+        echo 0
+    fi
+}

From 490124a738afaac4a1a57c6c7d0d4f06f78dc807 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Wed, 31 Aug 2016 14:29:31 -0400
Subject: [PATCH 30/43] add dns_helper script

---
 dns_helper.sh | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 dns_helper.sh

diff --git a/dns_helper.sh b/dns_helper.sh
new file mode 100644
index 0000000..eb8a983
--- /dev/null
+++ b/dns_helper.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+#Author: Kristov Atlas https://github.com/kristovatlas/osx-config-check
+#Description: Helps user temporarily return to automatic DNS configuration in
+#order to resolve problems connecting to wi-fi active portals that use their own
+#DNS servers.
+
+#This uses the networksetup tool and requires sudo privs
+
+STORED_DNS=''
+
+function store_dns {
+    #echo "DEBUG: entered store_dns"
+    STORED_DNS=$(networksetup -getdnsservers Wi-Fi | tr -s "\n" " ")
+    if [ "$STORED_DNS" = "There aren't any DNS Servers set on Wi-Fi. " ]; then
+        echo "Oops! You already had DNS settings set to automatic. You're having some other kind of problem connecting to wi-fi. Try opening your browser and surfing to 'http://example' to bring up an active-portal login page."
+        exit
+    fi
+    echo "(Your current DNS servers are '$STORED_DNS')"
+}
+
+function set_automatic_dns {
+    #echo "DEBUG: entered set_automatic_dns."
+    store_dns
+    echo "Enter your OSX login password if prompted: "
+    sudo networksetup -setdnsservers Wi-Fi "empty"
+    
+    NEW_VAL=$(networksetup -getdnsservers Wi-Fi)
+    if [ "$NEW_VAL" = "There aren't any DNS Servers set on Wi-Fi." ]; then
+        echo "Successfully changed DNS settings to automatic."
+    else
+        echo "Oops! There may have been a problem setting DNS settings to automatic :("
+    fi
+    #echo "DEBUG: new DNS settings: '$NEW_VAL'"
+}
+
+function restore_dns {
+    #echo "DEBUG: Entered restore_dns"
+    echo "Enter your OSX login password if prompted: "
+    sudo networksetup -setdnsservers Wi-Fi $STORED_DNS
+    echo "DNS settings restored."
+}
+
+echo This program will help you temporarily restore automatic DNS settings when you\'re having trouble connecting to Wi-Fi networks.
+
+valid_response=0
+while [ $valid_response -eq 0 ] ; do
+    read -r -p "Temporarily set DNS to automatic settings? [Y/n] " response
+    response=$(perl -e "print lc('$response')")
+
+    if [[ $response =~ ^(yes|y| ) ]]; then
+        valid_response=1
+        set_automatic_dns
+    else
+        if [[ $response =~ ^(no|n) ]]; then
+            exit
+        fi
+    fi
+done
+
+read -r -p "You're now ready to connect to a Wi-Fi active portal. You may need to open a web browser and surf to 'http://example.com' to interact with the active portal. When you're done connecting, PRESS ENTER here to restore your original DNS settings."
+restore_dns

From b00bf32531f4df6bfeb02024d77b07a53a7d2e36 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <kristovatlas@gmail.com>
Date: Wed, 31 Aug 2016 14:29:45 -0400
Subject: [PATCH 31/43] Update README with instructions on how to use
 dns_helper

---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index 74c54c7..0761c92 100644
--- a/README.md
+++ b/README.md
@@ -182,6 +182,14 @@ TEST #101: All Google Chrome web browser profiles have enabled the Ghostery exte
 
 If you receive an error message referencing these terms, the user you are currently logged in as may not be permitted to temporarily assume elevated privileges, preventing this tool from fully auditing and/or fixing your user's configuration. If you have added a non-Administrator user to your machine to help secure it, you will find that your non-Administrator user is not part of the "sudoers" list by default. To learn about how to add your user to the "sudoers" list, please [refer to this link](http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/).
 
+### Trouble Connecting to Wi-Fi
+
+This tool encourages users to use DNS servers run by the Google corporation. This can break some wi-fi networks that use "active portals" to login, like those found at cafes, airports, etc. If you're having trouble connecting to a wi-fi network after using this tool, please use the "dns_helper" tool included. From the terminal application, run:
+
+    bash dns_helper.sh
+    
+And follow the instructions on the screen carefully.
+
 ## Contributing
 
 Please read [CONTRIBUTING.md](CONTRIBUTING.md) before submitting pull requests to the repository.

From c7597bd7b28ce18e70798f89009e961037c18e1b Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Wed, 31 Aug 2016 17:25:06 -0400
Subject: [PATCH 32/43] add config check: gpgmail recommended && refactor test
 commands using new api.sh functions

QA: None yet other than that the Hjson is valid and the app runs
smoothly without unexpected fails, need to test on another machine for
false negatives
---
 osx-config.hjson | 159 ++++++++++++++++++++++++++++++++++++-----------
 osx-config.json  |   2 +-
 scripts/api.sh   |  22 +++++++
 3 files changed, 145 insertions(+), 38 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index bb22c33..23a74d4 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -1679,15 +1679,15 @@
     {
         //Check if the Mail app is closed -- otherwise, it may override changes this app makes.
         description: "The Mail application is currently closed."
-        confidence: "required"
+        confidence: required
         reference: "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html"
         tests:
         [
             {
                 type: "exact match"
                 command: "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'"
-                command_pass: "2" //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
-                case_sensitive: "false"
+                command_pass: 2 //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
+                case_sensitive: false
             }
         ]
         fix:
@@ -1699,17 +1699,22 @@
     {
         //Mail->Preferences->Viewing->Load remote content in messages
         description: "Apple Mail does not automatically load remote content in e-mails."
-        confidence: "recommended"
+        confidence: recommended
         tests:
         [
             {
+                //If Apple Mail is not in use by the user, this test passes
                 type: "exact match"
-                //Either Apple Mail is not in use or remote content is disabled. I use "ls" here to resolve the "~" symbol to the fully qualified file path that "test" requires.
-                command:
-                    REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n "$REMOTELOAD" ]; then echo 1; else echo 0; fi
-                command_pass: "1"
-                command_fail: "0"
-                case_sensitive: "false"
+                command: apple_mail_in_use
+                command_pass: 0
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command: "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading"
+                command_pass: 1
+                command_fail: 0
+                case_sensitive: false
             }
         ]
         fix:
@@ -1721,14 +1726,21 @@
     {
         //Mail->Preferences->Junk Mail->Enable junk mail filtering AND When junk mail arrives: Move it to the Junk mailbox
         description: "Mail identified by Apple Mail as junk is sent to the Junk mailbox."
-        confidence: "recommended"
+        confidence: recommended
         tests:
         [
+            {
+                //If Apple Mail is not in use by the user, this test passes
+                type: "exact match"
+                command: apple_mail_in_use
+                command_pass: 0
+                case_sensitive: false
+            }
             {
                 type: "exact match"
                 command: "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior"
-                command_pass: "2"
-                case_sensitive: "false"
+                command_pass: 2
+                case_sensitive: false
             }
         ]
         fix:
@@ -1736,19 +1748,53 @@
             command: "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"
         }
     },
+    {
+        description: "GPGMail is in use."
+        confidence: recommended
+        tests:
+        [
+            {
+                type: "exact match"
+                command: gpg_mail_in_use
+                command_pass: 1
+                command_fail: 0
+                case_sensitive: false
+            }
+        ]
+        fix:
+        {
+            manual:
+                '''
+                1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users.
+                '''
+        }
+    }
     {
         //Mail->Preferences->GPGMail->Composing->Encrypt new messages by default
         description: "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain."
-        confidence: "recommended"
+        confidence: recommended
         tests:
         [
             {
+                //If Apple Mail is not in use by the user, this test passes
                 type: "exact match"
-                command:
-                    AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOENCRYPT" ]; then echo 1; else echo 0; fi
-                command_pass: "1"
-                command_fail: "0"
-                case_sensitive: "false"
+                command: apple_mail_in_use
+                command_pass: 0
+                case_sensitive: false
+            }
+            {
+                //If GPG Mail is not in use by the user, this test passes
+                type: "exact match"
+                command: gpg_mail_in_use
+                command_pass: 0
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command: "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault"
+                command_pass: 1
+                command_fail: 0
+                case_sensitive: false
             }
         ]
         fix:
@@ -1760,16 +1806,29 @@
     {
         //Mail->Preferences->GPGMail->Composing->Encrypt drafts
         description: "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail."
-        confidence: "required"
+        confidence: required
         tests:
         [
             {
+                //If Apple Mail is not in use by the user, this test passes
                 type: "exact match"
-                command:
-                    AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOENCRYPTDRAFTS" ]; then echo 1; else echo 0; fi
-                command_pass: "1"
-                command_fail: "0"
-                case_sensitive: "false"
+                command: apple_mail_in_use
+                command_pass: 0
+                case_sensitive: false
+            }
+            {
+                //If GPG Mail is not in use by the user, this test passes
+                type: "exact match"
+                command: gpg_mail_in_use
+                command_pass: 0
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command: "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts"
+                command_pass: 1
+                command_fail: 0
+                case_sensitive: false
             }
         ]
         fix:
@@ -1781,16 +1840,29 @@
     {
         //Mail->Preferences->GPGMail->Composing->Sign new messages by default
         description: "New e-mails composed in Apple Mail are signed by GPGMail."
-        confidence: "required"
+        confidence: required
         tests:
         [
             {
+                //If Apple Mail is not in use by the user, this test passes
                 type: "exact match"
-                command:
-                    AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOSIGN" ]; then echo 1; else echo 0; fi
-                command_pass: "1"
-                command_fail: "0"
-                case_sensitive: "false"
+                command: apple_mail_in_use
+                command_pass: 0
+                case_sensitive: false
+            }
+            {
+                //If GPG Mail is not in use by the user, this test passes
+                type: "exact match"
+                command: gpg_mail_in_use
+                command_pass: 0
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command: "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault"
+                command_pass: 1
+                command_fail: 0
+                case_sensitive: false
             }
         ]
         fix:
@@ -1802,16 +1874,29 @@
     {
         //Mail->Preferences->GPGMail->Updates->Automatically check for updates
         description: "Apple Mail with automatically check for updates to GPGMail."
-        confidence: "required"
+        confidence: required
         tests:
         [
             {
+                //If Apple Mail is not in use by the user, this test passes
                 type: "exact match"
-                command:
-                    AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n "$AUTOCHECK" ]; then echo 1; else echo 0; fi
-                command_pass: "1"
-                command_fail: "0"
-                case_sensitive: "false"
+                command: apple_mail_in_use
+                command_pass: 0
+                case_sensitive: false
+            }
+            {
+                //If GPG Mail is not in use by the user, this test passes
+                type: "exact match"
+                command: gpg_mail_in_use
+                command_pass: 0
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command: "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks"
+                command_pass: 1
+                command_fail: 0
+                case_sensitive: false
             }
         ]
         fix:
diff --git a/osx-config.json b/osx-config.json
index d4d4acb..8c955fc 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "REMOTELOAD=$(defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/com.apple.mail-shared.plist) ] || [ -n \"$REMOTELOAD\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "AUTOENCRYPT=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPT\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOENCRYPTDRAFTS=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOENCRYPTDRAFTS\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOSIGN=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOSIGN\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "AUTOCHECK=$(defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks | grep 1) ; if [ ! -e $(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist) ] || [ -n \"$AUTOCHECK\" ]; then echo 1; else echo 0; fi", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
diff --git a/scripts/api.sh b/scripts/api.sh
index f2c997b..26ec8f9 100644
--- a/scripts/api.sh
+++ b/scripts/api.sh
@@ -60,3 +60,25 @@ function little_snitch_is_installed {
         echo 0
     fi
 }
+
+function apple_mail_in_use {
+    #I use "ls" here to resolve the "~" symbol to the fully qualified file path
+    #that "test" requires.
+    IN_USE=$(ls ~/Library/Preferences/com.apple.mail-shared.plist)
+    if [ -e $IN_USE ]; then
+        echo 1
+    else
+        echo 0
+    fi
+}
+
+function gpg_mail_in_use {
+    #I use "ls" here to resolve the "~" symbol to the fully qualified file path
+    #that "test" requires.
+    IN_USE=$(ls ~/Library/Preferences/org.gpgtools.gpgmail.plist)
+    if [ -e $IN_USE ]; then
+        echo 1
+    else
+        echo 0
+    fi
+}

From 7f842e16629a31b791816c27313ad16e36e9ab31 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Wed, 31 Aug 2016 20:26:55 -0400
Subject: [PATCH 33/43] generalize detection of Google Chrome being open

This aims to solve
https://github.com/kristovatlas/osx-config-check/issues/116
---
 osx-config.hjson | 4 ++--
 osx-config.json  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 23a74d4..be641bf 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -1922,8 +1922,8 @@
             },
             {
                 type: "exact match"
-                command: "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'"
-                command_pass: 2 //a value of "3" means it's running -- the other 2 are `/bin/sh` and the `grep` command.
+                command: "ps ax | grep -c 'Google Chrome.app'"
+                command_pass: 2 //a value of "3" or higher means it's running -- the first 2 are `/bin/sh` and the `grep` command.
                 case_sensitive: false
             }
         ]
diff --git a/osx-config.json b/osx-config.json
index 8c955fc..777a910 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c 'Google Chrome.app'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file

From ff8a88287aa19a3bd7c7e31663c51a9464693662 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Wed, 31 Aug 2016 21:03:23 -0400
Subject: [PATCH 34/43] Add check for SIP in El Capitan
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

QA: Correctly determines that the system is running El Cap and doesn’t
fail early, and correctly determines SIP is enabled.

No QA for system running pre or post El Cap, nor for systems with SIP
disabled.
---
 osx-config.hjson | 31 ++++++++++++++++++++++++++++++-
 osx-config.json  |  2 +-
 scripts/api.sh   | 10 ++++++++++
 3 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index be641bf..18a79f0 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -1137,7 +1137,36 @@
             command:
                 UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep "IOPlatformUUID" | sed -e 's/^.*"\(.*\)"$/\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done
         }
-    },
+    }
+    {
+        description: "System Integrity Protection (SIP) is enabled."
+        confidence: required
+        reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection"
+        tests:
+        [
+            {
+                //SIP is not available for OS X before 10.11
+                //TODO: not sure about 10.12
+                type: "exact match"
+                command: is_el_capitan
+                command_pass: 0
+                case_sensitive: false
+            }
+            {
+                type: "exact match"
+                command: "csrutil status"
+                command_pass: "System Integrity Protection status: enabled."
+                case_sensitive: false
+            }
+        ]
+        fix:
+        {
+            manual:
+                '''
+                1. SIP should be enabled by default on your El Capitan machine. You must boot into "Recovery OS" in order to use the "csrutil enable" command. See: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/
+                '''
+        }
+    }
     /* ---- END SYSTEM SETTINGS ---- */
 
     /* ---BEGIN SAFARI BROWSER SETTINGS--- */
diff --git a/osx-config.json b/osx-config.json
index 777a910..c462a1e 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c 'Google Chrome.app'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "System Integrity Protection (SIP) is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection", "tests": [{"type": "exact match", "command": "is_el_capitan", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "csrutil status", "command_pass": "System Integrity Protection status: enabled.", "case_sensitive": false}], "fix": {"manual": "1. SIP should be enabled by default on your El Capitan machine. You must boot into \"Recovery OS\" in order to use the \"csrutil enable\" command. See: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c 'Google Chrome.app'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
diff --git a/scripts/api.sh b/scripts/api.sh
index 26ec8f9..d77342c 100644
--- a/scripts/api.sh
+++ b/scripts/api.sh
@@ -82,3 +82,13 @@ function gpg_mail_in_use {
         echo 0
     fi
 }
+
+function is_el_capitan {
+    #Detects whether this system is El Capitan
+    SW_VERSION=$(sw_vers -productVersion)
+    if [[ $SW_VERSION =~ 10.11.[0-9]+ ]] ; then
+        echo 1
+    else
+        echo 0
+    fi
+}

From 558d0b3938b7d101c79c2c41e049f1e3a59a1c70 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Thu, 1 Sep 2016 13:22:55 -0400
Subject: [PATCH 35/43] This fixes
 https://github.com/kristovatlas/osx-config-check/issues/140

QA: reviewed output for the following invocations:
`python app.py --debug-print`
`python app.py --debug-print --report-only`
`python app.py --report-only`
`python app.py --report-only --skip-sudo-checks`
`python app.py --skip-sudo-checks`
`python app.py --report-only --skip-sudo-checks --disable-logs`
---
 app.py | 78 +++++++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 55 insertions(+), 23 deletions(-)

diff --git a/app.py b/app.py
index 1fdbe76..9fa24e1 100644
--- a/app.py
+++ b/app.py
@@ -70,6 +70,20 @@ class CheckResult(object):
     explicit_pass = 1
     explicit_fail = 2
     no_pass = 3
+    all_skipped = 4
+
+def check_result_to_str(val):
+    """Convert enum to string representation"""
+    if val == CheckResult.explicit_pass:
+        return const.PASSED_STR
+    elif val == CheckResult.explicit_fail:
+        return const.FAILED_STR
+    elif val == CheckResult.no_pass:
+        return const.FAILED_STR
+    elif val == CheckResult.all_skipped:
+        return const.SKIPPED_STR
+    else:
+        raise ValueError
 
 class Confidence(object):
     """Likelihood that a configuration will create negative side-effects.
@@ -203,6 +217,14 @@ def run_check(config_check, last_attempt=False, quiet_fail=False):
     Each config check may specify multiple test cases with early-succeed and/or
     early-fail parameters.
 
+    These are the possible conditions resulting from run_check:
+    1. One of the tests explicitly passed.
+    2. One of the tests explicitly failed.
+    3. All of the tests were run and none of them passed or failed. (This
+        should be considered a fail.)
+    4. All of the tests were skipped because we're skipping sudo checks and
+        the only tests available require sudo privs.
+
     Args:
         config_check (`ConfigCheck`): The check to perform. May contain multiple
             commands to test.
@@ -211,21 +233,20 @@ def run_check(config_check, last_attempt=False, quiet_fail=False):
         quiet_fail (bool): Suppress print failed results to stdout?
             Default: False.
 
-    Returns: bool: Whether check passed.
+    Returns: `CheckResult`: The check explicitly passed, explicitly
+        failed, never passed, or all checks were skipped.
 
     Raises: ValueError if result of _execute_check is not valid.
     """
     assert isinstance(config_check, ConfigCheck)
 
-    passed = False
+    #Assume all tests have been skipped until demonstrated otherwise.
+    result = CheckResult.all_skipped
     for test in config_check.tests:
         #alert user if he might get prompted for admin privs due to sudo use
-        result_str = None
         if 'sudo ' in test['command']:
-            if const.NON_INTERACTIVE:
-                dprint("Skipping test because app is in non-interactive mode.")
-                passed = False
-                result_str = const.SKIPPED_STR
+            if const.SKIP_SUDO_TESTS:
+                dprint("Skipping test because app skipping sudo tests.")
             else:
                 fancy_sudo_command = re.sub(
                     "sudo", const.SUDO_STR, test['command'])
@@ -236,7 +257,7 @@ def run_check(config_check, last_attempt=False, quiet_fail=False):
                       (const.COLORS['BOLD'], const.COLORS['ENDC'],
                        fancy_sudo_command))
 
-        if 'sudo ' not in test['command'] or not const.NON_INTERACTIVE:
+        if 'sudo ' not in test['command'] or not const.SKIP_SUDO_TESTS:
             command_pass = None
             if 'command_pass' in test:
                 command_pass = str(test['command_pass'])
@@ -250,7 +271,6 @@ def run_check(config_check, last_attempt=False, quiet_fail=False):
                                     command_fail=command_fail)
             if result == CheckResult.explicit_pass:
                 dprint("Test passed exlicitly for '%s'" % test['command'])
-                passed = True
                 break
             elif result == CheckResult.explicit_fail:
                 dprint("Test failed exlicitly for '%s'" % test['command'])
@@ -261,20 +281,19 @@ def run_check(config_check, last_attempt=False, quiet_fail=False):
             else:
                 raise ValueError("Invalid return value from _execute_check.")
 
-    if passed or not quiet_fail:
-        if result_str is None:
-            result_str = _get_result_str(passed)
+    if result == CheckResult.explicit_pass or not quiet_fail:
         msg = ("\nCHECK #%d: %s... %s" % (glob_check_num,
                                           config_check.description,
-                                          result_str))
+                                          check_result_to_str(result)))
         print msg
         if const.WRITE_TO_LOG_FILE:
             log_to_file(msg)
 
-    if not passed and last_attempt and do_warn(config_check):
+    if (result not in (CheckResult.explicit_pass, CheckResult.all_skipped) and
+            last_attempt and do_warn(config_check)):
         warn("Attempted fix %s" % const.FAILED_STR)
 
-    return passed
+    return result
 
 def log_to_file(string):
     """Append string, followed by newline character, to log file.
@@ -289,9 +308,6 @@ def log_to_file(string):
     with open(log_file_loc, 'a+') as log_file:
         log_file.write("%s\n" % string)
 
-def _get_result_str(result_bool):
-    return const.PASSED_STR if result_bool else const.FAILED_STR
-
 def _execute_check(command, comparison_type, case_sensitive, command_pass=None,
                    command_fail=None):
     """Helper function for `run_check` -- executes command and checks result.
@@ -417,17 +433,31 @@ def do_fix_and_test(config_check):
     Returns:
         bool: Whether an attempted fix was successful.
     """
+    dprint("Entered do_fix_and_test()")
+
     if config_check.fix is not None:
         _try_fix(config_check, use_sudo=False)
-        if run_check(config_check, last_attempt=False, quiet_fail=True):
+        check_result = run_check(
+            config_check, last_attempt=False, quiet_fail=True)
+        if check_result == CheckResult.explicit_pass:
             return True
 
     if config_check.sudo_fix is not None:
         _try_fix(config_check, use_sudo=True)
-        return run_check(config_check, last_attempt=True, quiet_fail=False)
+        check_result = run_check(
+            config_check, last_attempt=True, quiet_fail=False)
+        return True if check_result == CheckResult.explicit_pass else False
     else:
         return False
 
+def dprint_settings():
+    """Prints current global flags when debug printing is enabled."""
+    dprint("ENABLE_DEBUG_PRINT: %s" % str(const.ENABLE_DEBUG_PRINT))
+    dprint("WRITE_TO_LOG_FILE: %s" % str(const.WRITE_TO_LOG_FILE))
+    dprint("PROMPT_FOR_FIXES: %s" % str(const.PROMPT_FOR_FIXES))
+    dprint("ATTEMPT_FIXES: %s" % str(const.ATTEMPT_FIXES))
+    dprint("SKIP_SUDO_TESTS: %s" % str(const.SKIP_SUDO_TESTS))
+
 def main():
     """Main function."""
     global glob_check_num
@@ -437,15 +467,17 @@ def main():
     const.WRITE_TO_LOG_FILE = args['write-to-log-file']
     const.PROMPT_FOR_FIXES = not args['no-prompt']
     const.ATTEMPT_FIXES = not args['report-only']
-    const.NON_INTERACTIVE = args['skip-sudo-checks']
+    const.SKIP_SUDO_TESTS = args['skip-sudo-checks']
+
+    dprint_settings()
 
     _print_banner()
 
     config_checks = read_config(const.DEFAULT_CONFIG_FILE)
     completely_failed_tests = []
     for config_check in config_checks:
-        if not run_check(config_check):
-            #config failed check
+        check_result = run_check(config_check)
+        if check_result == CheckResult.explicit_fail:
             if not const.ATTEMPT_FIXES:
                 glob_check_num += 1
                 continue

From a57fd969cdabfb915ab1dafae78d4b53c6596e8f Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Thu, 1 Sep 2016 13:24:32 -0400
Subject: [PATCH 36/43] remove non-sudo version of check for 'Automatic check
 for software updates is enabled'

This removed version never worked and is not likely to work in the
future without sudo privs. By removing this, it helps me see what
output should look like when only a sudo version of the test is
supplied and the user explicitly skips sudo checks.
---
 osx-config.hjson | 6 ------
 osx-config.json  | 2 +-
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 18a79f0..1cad95c 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -554,12 +554,6 @@
         reference: "https://github.com/SummitRoute/osxlockdown/"
         tests:
         [
-            {
-                type: "exact match"
-                command: "softwareupdate --schedule | grep -i 'Automatic check is on'"
-                command_pass: "Automatic check is on"
-                case_sensitive: "false"
-            },
             {
                 type: "exact match"
                 command: "sudo softwareupdate --schedule | grep -i 'Automatic check is on'"
diff --git a/osx-config.json b/osx-config.json
index c462a1e..a6263e3 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "System Integrity Protection (SIP) is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection", "tests": [{"type": "exact match", "command": "is_el_capitan", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "csrutil status", "command_pass": "System Integrity Protection status: enabled.", "case_sensitive": false}], "fix": {"manual": "1. SIP should be enabled by default on your El Capitan machine. You must boot into \"Recovery OS\" in order to use the \"csrutil enable\" command. See: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c 'Google Chrome.app'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "System Integrity Protection (SIP) is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection", "tests": [{"type": "exact match", "command": "is_el_capitan", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "csrutil status", "command_pass": "System Integrity Protection status: enabled.", "case_sensitive": false}], "fix": {"manual": "1. SIP should be enabled by default on your El Capitan machine. You must boot into \"Recovery OS\" in order to use the \"csrutil enable\" command. See: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c 'Google Chrome.app'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file

From 5da618371465812f64483bd74f023b48724b4a50 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Thu, 1 Sep 2016 16:10:58 -0400
Subject: [PATCH 37/43] fix bug that prevented fix from being applied sometimes

This was introduced in
https://github.com/kristovatlas/osx-config-check/pull/144 I think.
---
 app.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.py b/app.py
index 9fa24e1..d4c11d3 100644
--- a/app.py
+++ b/app.py
@@ -477,7 +477,7 @@ def main():
     completely_failed_tests = []
     for config_check in config_checks:
         check_result = run_check(config_check)
-        if check_result == CheckResult.explicit_fail:
+        if check_result in (CheckResult.explicit_fail, CheckResult.no_pass):
             if not const.ATTEMPT_FIXES:
                 glob_check_num += 1
                 continue

From 7a252dd4ff21a2b1e59ee3adf2bf89d93d5a5d37 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Thu, 1 Sep 2016 16:17:44 -0400
Subject: [PATCH 38/43] give fix commands access to api.sh functions

---
 app.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app.py b/app.py
index d4c11d3..9677418 100644
--- a/app.py
+++ b/app.py
@@ -410,6 +410,7 @@ def _try_fix(config_check, use_sudo=False):
     stdoutdata = ""
     stderrdata = ""
     if command is not None:
+        command = "source %s ; %s" % (const.API_FILENAME, command)
         process = Popen(command, stdout=PIPE, stderr=STDOUT, shell=True)
         stdoutdata, stderrdata = process.communicate()
 

From 45e12645152733aa81925a4eb8703cbb036bb343 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Thu, 1 Sep 2016 16:18:32 -0400
Subject: [PATCH 39/43] fix the disabling of AirDrop

This applies two fixes to the AirDrop setting:

1) Based on https://github.com/kristovatlas/osx-config-check/pull/89 by
@hypn this writes defaults for only the current user
2) Through testing on a live system I determined that even a system
with AirDrop enabled will not necessarily have the
`com.apple.NetworkBrowser` domain defined, but if we do define it
manually and set DisableAirDrop to true, then AirDrop is disabled. Note
that AirDrop generally requires iCloud sign-in before it can be enabled.

The new defaults_write_ignore_missing API function could be used for
other writes to defaults if needed.
---
 osx-config.hjson |  5 ++---
 osx-config.json  |  2 +-
 scripts/api.sh   | 34 ++++++++++++++++++++++++++++++++++
 3 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index 1cad95c..fb26b4c 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -664,10 +664,9 @@
         ]
         fix:
         {
-            command: "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"
-            sudo_command: "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"
+            command: "defaults_write_ignore_missing com.apple.NetworkBrowser DisableAirDrop -bool true"
         }
-        undo: "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"
+        undo: "defaults write com.apple.NetworkBrowser DisableAirDrop -bool false"
     },
 
         /* Begin: System Preferences->Sharing */
diff --git a/osx-config.json b/osx-config.json
index a6263e3..5ccb13a 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write /Library/Preferences/com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "System Integrity Protection (SIP) is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection", "tests": [{"type": "exact match", "command": "is_el_capitan", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "csrutil status", "command_pass": "System Integrity Protection status: enabled.", "case_sensitive": false}], "fix": {"manual": "1. SIP should be enabled by default on your El Capitan machine. You must boot into \"Recovery OS\" in order to use the \"csrutil enable\" command. See: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c 'Google Chrome.app'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults_write_ignore_missing com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "System Integrity Protection (SIP) is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection", "tests": [{"type": "exact match", "command": "is_el_capitan", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "csrutil status", "command_pass": "System Integrity Protection status: enabled.", "case_sensitive": false}], "fix": {"manual": "1. SIP should be enabled by default on your El Capitan machine. You must boot into \"Recovery OS\" in order to use the \"csrutil enable\" command. See: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c 'Google Chrome.app'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
diff --git a/scripts/api.sh b/scripts/api.sh
index d77342c..a2dbad4 100644
--- a/scripts/api.sh
+++ b/scripts/api.sh
@@ -92,3 +92,37 @@ function is_el_capitan {
         echo 0
     fi
 }
+
+function does_defaults_domain_exist {
+    DOMAIN=$1
+    READ_VAL=$(defaults read $DOMAIN 2>&1 | tail -n 1 )
+    if [[ $READ_VAL =~ "Domain $DOMAIN does not exist" ]]; then
+        echo 0
+    else
+        echo 1
+    fi
+}
+export -f does_defaults_domain_exist
+
+function defaults_write_ignore_missing {
+    #Usage: defaults_write_ignore_missing mydomain key -type value
+    #e.g.: defaults_write_ignore_missing com.apple.NetworkBrowser DisableAirDrop -bool true
+    #Writes to the specified domain using the 'defaults' utility, but will
+    #initialize the domain with a blank plist value if the domain does not
+    #already exist.
+    DOMAIN=$1
+    KEY=$2
+    DATA_TYPE=$3
+    VAL=$4
+
+    DOMAIN_EXISTS=$(does_defaults_domain_exist $DOMAIN)
+    if [ "$DOMAIN_EXISTS" = "0" ]; then
+        defaults write $DOMAIN '{"osxconfig-reserved" = 1;}'
+        DOMAIN_EXISTS=$(does_defaults_domain_exist $DOMAIN)
+        if [ "$DOMAIN_EXISTS" = "0" ]; then
+            echo "Could not successfully create the specified domain."
+            exit
+        fi
+    fi
+    defaults write $DOMAIN $KEY $DATA_TYPE $VAL
+}

From cc5a402d33b91ac89276c4659dfd8a18a55688e3 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Thu, 1 Sep 2016 16:48:45 -0400
Subject: [PATCH 40/43] various changes to language of config check
 descriptions

This fulfills https://github.com/kristovatlas/osx-config-check/issues/70
---
 osx-config.hjson | 22 +++++++++++-----------
 osx-config.json  |  2 +-
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index fb26b4c..e4e037f 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -7,7 +7,7 @@
 /* syntax:
 [
     {
-        `description` is a human-readable string describing the configuration being checked. (REQUIRED FIELD)
+        `description` is a human-readable string describing the configuration being checked; it should be a present-tense statement about a positive security configuration. (REQUIRED FIELD)
         `confidence` indicates subjective estimation of negative side-effects. valid values: "required", "recommended", "experimental". (REQUIRED FIELD)
         `reference` provides a link to where a user can find more information about this configuration, or a citation of where this configuration was taken from. (OPTIONAL FIELD)
         `tests`: // is an ordered array of test objects. (REQUIRED FIELD, should not be empty)
@@ -419,7 +419,7 @@
     },
     {
         //System Preferences->Security & Privacy->Firewall->Firewall Options...->Automatically allow signed software to receive incoming connections
-        description: "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide)."
+        description: "Automatic whitelisting of Apple-signed applications through the firewall is disabled (system-wide)."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
         tests:
@@ -441,7 +441,7 @@
     },
     {
         //System Preferences->Security & Privacy->Firewall->Firewall Options...->Automatically allow signed software to receive incoming connections
-        description: "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only)."
+        description: "Automatic whitelisting of Apple-signed applications through the firewall is disabled (current user only)."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
         tests:
@@ -482,7 +482,7 @@
         undo: "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"
     },
     {
-        description: "OpenSSL is up-to-date."
+        description: "OpenSSL is up to date."
         confidence: "required"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
         tests:
@@ -928,7 +928,7 @@
         undo: "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"
     },
     {
-        description: "The File Vault key is destroyed when going to standby mode."
+        description: "The File Vault key is protected when going to standby mode."
         //Once this set of configurations is proven stable, this can be upgraded from "experimental" to "recommended". We may want to warn the user first that waking will be slower and require authenticating twice.
         confidence: "experimental"
         reference: "https://github.com/drduh/OS-X-Security-and-Privacy-Guide"
@@ -1340,7 +1340,7 @@
     },
     {
         //Safari->Preferences->Security->Web Content->Enable JavaScript
-        description: "JavaScript disabled in the Safari web browser."
+        description: "JavaScript is disabled in the Safari web browser."
         confidence: "recommended"
         tests:
         [
@@ -1359,7 +1359,7 @@
         undo: "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"
     },
     {
-        description: "JavaScript disabled in the Safari web browser (Legacy version)."
+        description: "JavaScript is disabled in the Safari web browser (Legacy version)."
         confidence: "recommended"
         tests:
         [
@@ -1677,7 +1677,7 @@
     {
         //Safari->Preferences->Advanced->Smart Search Field->Show full website address
         //This might help prevent phishing attacks
-        description: "Full website addresses are disabled in the location bar of the Safari web browser."
+        description: "Full website addresses are displayed in the location bar of the Safari web browser."
         confidence: "required"
         tests:
         [
@@ -1895,7 +1895,7 @@
     },
     {
         //Mail->Preferences->GPGMail->Updates->Automatically check for updates
-        description: "Apple Mail with automatically check for updates to GPGMail."
+        description: "Apple Mail automatically checks for updates to GPGMail."
         confidence: required
         tests:
         [
@@ -2035,7 +2035,7 @@
     },
     {
         //Chrome->Preferences->Show Advanced Settings->Privacy->Automatically report details of possible security incidents to Google
-        description: "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google."
+        description: "All Google Chrome web browser profiles prevent information leakage by blocking security incidents reports to Google."
         confidence: "recommended"
         tests:
         [
@@ -2355,7 +2355,7 @@
     {
         //Note: I'm not so clear on what 'clear_lso_data_enabled' does. Maybe it should typically be set to true? 'False' is the setting achieved when you disable Flash through the plugins GUI.
         //chrome://plugins/->Adobe Flash Player->Disable
-        description: "All Google Chrome web browser profiles have disabled Flash cookies."
+        description: "All Google Chrome web browser profiles block Flash cookies."
         confidence: "required"
         reference: "https://en.wikipedia.org/wiki/Local_shared_object"
         tests:
diff --git a/osx-config.json b/osx-config.json
index 5ccb13a..6fc259d 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up-to-date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults_write_ignore_missing com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is destroyed when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "System Integrity Protection (SIP) is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection", "tests": [{"type": "exact match", "command": "is_el_capitan", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "csrutil status", "command_pass": "System Integrity Protection status: enabled.", "case_sensitive": false}], "fix": {"manual": "1. SIP should be enabled by default on your El Capitan machine. You must boot into \"Recovery OS\" in order to use the \"csrutil enable\" command. See: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are disabled in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail with automatically check for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c 'Google Chrome.app'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications through the firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications through the firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up to date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults_write_ignore_missing com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is protected when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "System Integrity Protection (SIP) is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection", "tests": [{"type": "exact match", "command": "is_el_capitan", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "csrutil status", "command_pass": "System Integrity Protection status: enabled.", "case_sensitive": false}], "fix": {"manual": "1. SIP should be enabled by default on your El Capitan machine. You must boot into \"Recovery OS\" in order to use the \"csrutil enable\" command. See: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript is disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are displayed in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail automatically checks for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c 'Google Chrome.app'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage by blocking security incidents reports to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles block Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file

From 90fefdd483bbdb4d2eba532384922f1c1e8b2d80 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Thu, 1 Sep 2016 17:04:25 -0400
Subject: [PATCH 41/43] fix config check: chrome pop-ups

Regex now adjusted so it will fail if any one of the profiles is broken.

QA: confirmed that it identifies a broken profile and fixes it
appropriately.
---
 osx-config.hjson | 2 +-
 osx-config.json  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/osx-config.hjson b/osx-config.hjson
index e4e037f..60c118f 100644
--- a/osx-config.hjson
+++ b/osx-config.hjson
@@ -2183,7 +2183,7 @@
                 command:
                     find ~/Library/Application\ Support/Google/Chrome -name "Preferences" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups
                 command_pass:
-                    ^(The attribute 'profile.default_content_setting_values.popups' does not exist\n?)|(None\n?)+$
+                    ^((The attribute 'profile.default_content_setting_values.popups' does not exist in '[^']+'\.\n?)|(None\n?))+$
                 case_sensitive: "false"
             }
         ]
diff --git a/osx-config.json b/osx-config.json
index 6fc259d..5cb2031 100644
--- a/osx-config.json
+++ b/osx-config.json
@@ -1 +1 @@
-[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications through the firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications through the firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up to date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults_write_ignore_missing com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is protected when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "System Integrity Protection (SIP) is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection", "tests": [{"type": "exact match", "command": "is_el_capitan", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "csrutil status", "command_pass": "System Integrity Protection status: enabled.", "case_sensitive": false}], "fix": {"manual": "1. SIP should be enabled by default on your El Capitan machine. You must boot into \"Recovery OS\" in order to use the \"csrutil enable\" command. See: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript is disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are displayed in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail automatically checks for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c 'Google Chrome.app'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage by blocking security incidents reports to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^(The attribute 'profile.default_content_setting_values.popups' does not exist\\n?)|(None\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles block Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file
+[{"_comment": "DO NOT EDIT THIS FILE. THIS WAS AUTOMATICALLY GENERATED BY THE hjson_to_json.py SCRIPT. INSTEAD, EDIT THE osx-config.hjson FILE."}, {"description": "Homebrew is installed.", "confidence": "required", "tests": [{"type": "exact match", "command": "echo $(homebrew_is_installed)", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"sudo_command": "/usr/bin/ruby ./scripts/homebrew_install_ed33f044812cc9c509a4d8e6997c44441b06dd4e1fc87f131ee9f319d77fcd50.rb", "manual": "Homebrew is a useful tool for installing and updating programs from the command line.\nThere are various things that can go wrong when attempting to install Homebrew.\nPlease review their installation guide here:\nhttps://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Installation.md"}}, {"description": "Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)", "confidence": "required", "tests": [{"type": "exact match", "command": "bash ./scripts/check_usr_local_bin_pos.sh", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Java Runtime Environment is up to date.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "java_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "java -version 2>&1 >/dev/null | grep 'java version'", "command_pass": "java version \"1.8.0_102\"", "case_sensitive": false}], "fix": {"manual": "1. Your installation of Java is not up to date. You can either update it or remove it.\n2. To update Java, see: https://www.java.com/en/download/faq/java_mac.xml\n3. To remove Java, see: https://www.java.com/en/download/help/mac_uninstall_java.xml"}}, {"description": "The System Preferences application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/System Preferences.app/Contents/MacOS/System Preferences'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"System Preferences\" ; sleep 1"}}, {"description": "Current user is a non-admin account.", "confidence": "required", "tests": [{"type": "exact match", "command": "id -Gn | grep -c -w admin", "command_pass": "0", "case_sensitive": "false"}], "fix": {"manual": "1. For most of your work, you should be logged into a non-administrator account. If you've already set this up and you're just logged into your admin account in order to run this tool as prescribed, you can ignore this failed test.\n2. To create a new, non-admin user for most of your work: Open System Preferences.\n3. Select \"Users & Groups\".\n4. If necessary, click the lock icon in the lower left corner and provide your administrator credentials.\n5. Click the \"+\" to create a new user. Make sure the \"Allow user to administer this computer\" checkbox is un-checked for that user.\n6. You may also want to add your non-administrator user to a list of users who can use the \"sudo\" command within the Terminal application to briefly gain administrator-like credentials for special circumstances. See: http://osxdaily.com/2014/02/06/add-user-sudoers-file-mac/"}}, {"description": "The OSX application firewall is enabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "The OSX application firewall is enabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "little_snitch_is_installed", "command_pass": 1, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf globalstate", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true", "sudo_command": "sudo defaults -currentHost write ~/Library/Preferences/com.apple.alf globalstate -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "A password is required to wake the computer from sleep or screen saver (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.screensaver askForPassword", "command_pass": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.screensaver askForPassword -bool true"}}, {"description": "There is no delay between starting the screen saver and locking the machine (system-wide).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults -currentHost read /Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write /Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "There is no delay between starting the screen saver and locking the machine (current user only).", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.screensaver askForPasswordDelay", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.screensaver askForPasswordDelay -bool true"}, {"description": "Logging is enabled for the operating system.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf loggingenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf loggingenabled -bool true"}}, {"description": "Homebrew analytics are disabled.", "confidence": "required", "reference": "https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md", "tests": [{"type": "exact match", "command": "[[ -n $HOMEBREW_NO_ANALYTICS ]] && echo 1 || echo 0", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "grep -q 'export HOMEBREW_NO_ANALYTICS=1' ~/.profile || echo 'export HOMEBREW_NO_ANALYTICS=1' >> ~/.profile ; source ~/.profile", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf stealthenabled", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool true", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.alf stealthenabled -bool false"}, {"description": "Automatic whitelisting of Apple-signed applications through the firewall is disabled (system-wide).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Automatic whitelisting of Apple-signed applications through the firewall is disabled (current user only).", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.alf allowsignedenabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.alf allowsignedenabled -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool true"}, {"description": "Captive portal for connecting to new networks is disabled to prevent MITM attacks.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.captive.control Active", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false"}, "undo": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool true"}, {"description": "OpenSSL is up to date.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "openssl version", "command_pass": "OpenSSL 1.0.2h  3 May 2016", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install openssl ; brew upgrade openssl ; bash ./scripts/set_openssl_latest_path.sh", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Hidden files are displayed in Finder.", "confidence": "recommended", "reference": "http://lifehacker.com/the-best-hidden-settings-you-can-unlock-with-os-xs-ter-1476627111", "tests": [{"type": "exact match", "command": "defaults -currentHost read /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock", "sudo_command": "sudo defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool true && killall Dock"}, "undo": "defaults -currentHost write /Library/Preferences/SystemConfiguration/com.apple.finder AppleShowAllFiles -bool false && killall Dock"}, {"description": "All application software is currently up to date.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "LASTUPDATE=$(defaults read /Library/Preferences/com.apple.SoftwareUpdate | grep LastSuccessfulDate | sed -e 's@^.* \"\\([0-9\\\\-]*\\) .*$@\\1@'); if [ \"$LASTUPDATE\" = \"$(date +%Y-%m-%d)\" ];then echo 1 && exit; fi; echo 0 && exit", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "softwareupdate -i -a", "sudo_command": "sudo softwareupdate -i -a"}}, {"description": "Automatic check for software updates is enabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/", "tests": [{"type": "exact match", "command": "sudo softwareupdate --schedule | grep -i 'Automatic check is on'", "command_pass": "Automatic check is on", "case_sensitive": "false"}], "fix": {"command": "softwareupdate --schedule on", "sudo_command": "sudo softwareupdate --schedule on"}}, {"description": "GateKeeper protection against untrusted applications is enabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "spctl --status | grep -i 'assessments enabled'", "command_pass": "assessments enabled", "case_sensitive": "false"}], "fix": {"command": "spctl --master-enable", "sudo_command": "sudo spctl --master-enable"}, "undo": "sudo spctl --master-disable"}, {"description": "Bluetooth is disabled.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; sudo killall -HUP blued"}, "undo": "defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool true; killall -HUP blued"}, {"description": "The infrared receiver is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool false"}, "undo": "defaults write /Library/Preferences/com.apple.driver.AppleIRController DeviceEnabled -bool true"}, {"description": "AirDrop file sharing is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo defaults read com.apple.NetworkBrowser DisableAirDrop", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults_write_ignore_missing com.apple.NetworkBrowser DisableAirDrop -bool true"}, "undo": "defaults write com.apple.NetworkBrowser DisableAirDrop -bool false"}, {"description": "File sharing is disabled.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(launchctl list | egrep AppleFileServer)\" ]; then exit 1; fi; if [ -n \"$(grep -i array /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist)\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.AppleFileServer.plist; launchctl unload -w /System/Library/LaunchDaemons/com.apple.smbd.plist"}}, {"description": "Printer sharing is disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(system_profiler SPPrintersDataType | grep Shared | grep Yes)\" ]; then echo 1; exit; fi; if [ -n \"$(system_profiler SPPrintersDataType | grep 'System Printer Sharing: Yes')\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "cupsctl --no-share-printers"}}, {"description": "Remote login is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremotelogin", "command_pass": "Remote Login: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -f -setremotelogin off", "sudo_command": "sudo systemsetup -f -setremotelogin off"}, "undo": "sudo systemsetup -f -setremotelogin on"}, {"description": "Remote Management is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "if [ -n \"$(ps -ef | egrep \"/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/[A]RDAgent\")\" ]; then echo 1; exit; fi; echo 0; exit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop", "sudo_command": "sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop"}}, {"description": "Remote Apple events are disabled.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup -getremoteappleevents", "command_pass": "Remote Apple Events: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setremoteappleevents off", "sudo_command": "systemsetup -setremoteappleevents off"}, "undo": "sudo systemsetup -setremoteappleevents on"}, {"description": "Internet Sharing is disabled on all network interfaces.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "defaults read /Library/Preferences/SystemConfiguration/com.apple.nat NAT | grep -c 'Enabled = 1'", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false", "sudo_command": "sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.nat NAT -dict-add Enabled -bool false"}}, {"description": "Wake on Network Access feature is disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getwakeonnetworkaccess", "command_pass": "Wake On Network Access: Off", "case_sensitive": "false"}], "fix": {"command": "systemsetup -setwakeonnetworkaccess off", "sudo_command": "sudo systemsetup -setwakeonnetworkaccess off"}, "undo": "sudo systemsetup -setwakeonnetworkaccess on"}, {"description": "Automatic setting of time and date is disabled.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}, {"type": "exact match", "command": "sudo systemsetup getusingnetworktime", "command_pass": "Network Time: Off", "command_fail": "Network Time: On", "case_sensitive": "false"}], "fix": {"command": "systemsetup setusingnetworktime off", "sudo_command": "sudo systemsetup setusingnetworktime off"}, "undo": "sudo systemsetup setusingnetworktime on"}, {"description": "IPv6 is disabled on all network interfaces.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then echo 1; fi; done; echo 0; exit", "command_pass": "0", "case_sensitive": "false"}], "fix": {"command": "networksetup -listallnetworkservices | while read i; do SUPPORT=$(networksetup -getinfo \"$i\" | grep \"IPv6: Automatic\") && if [ -n \"$SUPPORT\" ]; then networksetup -setv6off \"$i\"; fi; done;"}}, {"description": "An administrator password is required to change system-wide preferences.", "confidence": "required", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "exact match", "command": "if [ -n \"$(security authorizationdb read system.preferences 2> /dev/null | grep -A1 shared | grep -E '(true|false)' | grep 'false')\" ]; then echo 0; else echo 1; fi", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "security authorizationdb read system.preferences > /tmp/system.preferences.plist &&/usr/libexec/PlistBuddy -c \"Set :shared false\" /tmp/system.preferences.plist && security authorizationdb write system.preferences < /tmp/system.preferences.plist"}}, {"description": "Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)", "confidence": "required", "reference": "http://mjtsai.com/blog/2014/10/26/yosemite-uploads-unsaved-documents-and-recent-addresses-to-icloud/", "tests": [{"type": "exact match", "command": "defaults read NSGlobalDomain NSDocumentSaveNewDocumentsToCloud", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false"}, "undo": "defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool true"}, {"description": "The File Vault key is protected when going to standby mode.", "confidence": "experimental", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "exact match", "command": "bash ./scripts/DestroyFVKeyOnStandby_check.sh", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "pmset -a destroyfvkeyonstandby 1 ; pmset -a hibernatemode 25 ; pmset -a powernap 0 ; pmset -a standby 0 ; pmset -a standbydelay 0; pmset -a autopoweroff 0", "sudo_command": "sudo pmset -a destroyfvkeyonstandby 1 ; sudo pmset -a hibernatemode 25 ; sudo pmset -a powernap 0 ; sudo pmset -a standby 0 ; sudo pmset -a standbydelay 0; sudo pmset -a autopoweroff 0"}}, {"description": "The system will store a copy of memory to persistent storage, and will remove power to memory.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "pmset -g", "command_pass": ".*hibernatemode\\s+25.*", "case_sensitive": "false"}], "fix": {"command": "pmset -a hibernatemode 25", "sudo_command": "sudo pmset -a hibernatemode 25"}}, {"description": "git is up to date or is not installed", "confidence": "required", "tests": [{"type": "regex match", "command": "git --version", "command_pass": ".*(command not found|2\\.9\\.3).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install git ; brew upgrade git ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\"", "manual": "1. Bring the Terminal application to the foreground if it is not already. You should see the word \"Terminal\" in the top left corner of your screen.\n2. Select Terminal->Quit\n3. Re-open the Terminal application and run the tool again; this check should now pass."}}, {"description": "Apple Push Notifications are disabled.", "confidence": "recommended", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}, {"type": "regex match", "command": "sudo launchctl list", "command_pass": "^((?!com\\.apple\\.apsd).)*$", "case_sensitive": "false"}], "fix": {"command": "launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist", "sudo_command": "sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, "undo": "sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.apsd.plist"}, {"description": "Google DNS servers are used by default on all network interfaces.", "confidence": "recommended", "tests": [{"type": "regex match", "command": "networksetup listallnetworkservices | grep -v 'An asterisk' | xargs -I{} networksetup -getdnsservers '{}' ", "command_pass": "^(8\\.8\\.8\\.8\\n8\\.8\\.4\\.4\n*)+$", "case_sensitive": "false"}], "fix": {"sudo_command": "sudo bash ./scripts/use_google_dns.sh"}}, {"description": "The curl utility is up to date or absent from the system.", "confidence": "required", "tests": [{"type": "regex match", "command": "curl --version", "command_pass": ".*(command not found|7\\.50\\.1).*", "case_sensitive": "false"}], "fix": {"command": "brew update ; brew install curl ; brew upgrade curl ; python ./scripts/set_path_precedence.py \"/usr/local/bin\" \"/usr/bin\""}, "undo": "brew unlink curl"}, {"description": "FileVault file system encryption is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*FileVault is On.*$", "case_sensitive": "false"}], "fix": {"manual": "1. Open System Preferences.\n2. Select \"Security & Privacy\"\n3. Select \"FileVault\".\n4. Click the \"Turn On FileVault\" button and follow the instructions.\n5. Decline to use iCloud or other Apple accounts for login. Instead, allow it to generate an offline decryption key. Store your decryption key somewhere safe so that you can decrypt your hard drive if something breaks, but prevent your enemies from acquiring yoru decryption key."}, "undo": ""}, {"description": "FileVault file system encryption is enabled at the root directory.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide", "tests": [{"type": "regex match", "command": "fdesetup status -verbose", "command_pass": "^.*device path \\=\\s+.*$", "case_sensitive": "false"}], "fix": {"manual": "Sorry, no instructions are currently available to remediate this issue."}}, {"description": "The idle timer for screen saver activation is set to 10 minutes or less.", "confidence": "recommended", "reference": "https://github.com/SummitRoute/osxlockdown/blob/58697f5162fe9e43df7dc9b6b94ffa34b0e11d4f/commands.yaml", "tests": [{"type": "regex match", "command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then TIMEOUT=$(defaults read $PREF.plist idleTime) && if [ $TIMEOUT -eq 0 ] || [ $TIMEOUT -gt 600 ]; then echo 1; fi; else echo 0; fi; done;", "command_pass": "^(0\n*)+$", "case_sensitive": "false"}], "fix": {"command": "UUID=`ioreg -rd1 -c IOPlatformExpertDevice | grep \"IOPlatformUUID\" | sed -e 's/^.*\"\\(.*\\)\"$/\\1/'`; for i in $(find /Users -type d -maxdepth 1); do PREF=$i/Library/Preferences/ByHost/com.apple.screensaver.$UUID; if [ -e $PREF.plist ]; then defaults -currentHost write $PREF.plist idleTime -int 600; fi; done"}}, {"description": "System Integrity Protection (SIP) is enabled.", "confidence": "required", "reference": "https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection", "tests": [{"type": "exact match", "command": "is_el_capitan", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "csrutil status", "command_pass": "System Integrity Protection status: enabled.", "case_sensitive": false}], "fix": {"manual": "1. SIP should be enabled by default on your El Capitan machine. You must boot into \"Recovery OS\" in order to use the \"csrutil enable\" command. See: https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/"}}, {"description": "The Safari application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Safari.app/Contents/MacOS/Safari'", "command_pass": "2", "case_sensitive": "false"}], "fix": {"command": "killall \"Safari\" ; sleep 1"}}, {"description": "Safari will not auto-fill credit card data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillCreditCardData -bool false"}}, {"description": "Safari will not auto-fill your contact data.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillFromAddressBook -bool false"}}, {"description": "Safari will not auto-fill miscellaneous forms.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillMiscellaneousForms -bool false"}}, {"description": "Safari will not auto-fill usernames or passwords.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoFillPasswords", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoFillPasswords -bool false"}}, {"description": "Files downloaded in Safari are not automatically opened.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool false"}}, {"description": "Cookies and local storage are always blocked in Safari.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari BlockStoragePolicy", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari BlockStoragePolicy -bool false"}}, {"description": "Safari extensions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ExtensionsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ExtensionsEnabled -bool false"}}, {"description": "The Safari web browser will warn when visiting known fraudulent websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WarnAboutFraudulentWebsites -bool false"}, {"description": "JavaScript is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptEnabled -bool true"}, {"description": "JavaScript is disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptEnabled -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "Pop-up windows are blocked in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaScriptCanOpenWindowsAutomatically -bool true"}, {"description": "The WebGL plug-in is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2WebGLEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled -bool true"}, {"description": "Plug-ins are disabled in the Safari web browser (Legacy version).", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitPluginsEnabled -bool true"}, {"description": "Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PlugInFirstVisitPolicy PlugInPolicyBlock"}}, {"description": "The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.", "confidence": "required", "tests": [{"type": "exact match", "command": "/usr/libexec/PlistBuddy -c \"Print :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy\" ~/Library/Preferences/com.apple.Safari.plist", "command_pass": "PlugInPolicyBlock", "case_sensitive": "false"}], "fix": {"command": "/usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin dict\" ~/Library/Preferences/com.apple.Safari.plist ; /usr/libexec/PlistBuddy -c \"Add :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy string PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist; /usr/libexec/PlistBuddy -c \"Set :ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInFirstVisitPolicy PlugInPolicyBlock\" ~/Library/Preferences/com.apple.Safari.plist"}}, {"description": "The Java plug-in is disabled in the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool true"}, {"description": "The Java plug-in is disabled in the Safari web browser (Legacy version).", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool true"}, {"description": "The Safari web browser is configured to treat SHA-1 certificates as insecure.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari TreatSHA1CertificatesAsInsecure -bool false"}, {"description": "The Safari web browser will not pre-load webpages that rank highly as search matches.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari PreloadTopHit", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari PreloadTopHit -bool true"}, {"description": "The Safari web browser will not include search engine suggestions for text typed in the location bar.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SuppressSearchSuggestions -bool false"}, {"description": "The Safari web browser's search suggestions are disabled.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled", "command_pass": "0", "command_fail": "1", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool false"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari UniversalSearchEnabled -bool true"}, {"description": "The Safari web browser uses the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari SendDoNotTrackHTTPHeader -bool false"}, {"description": "PDF viewing is disabled in the Safari web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari WebKitOmitPDFSupport -bool true"}, "undo": ""}, {"description": "Full website addresses are displayed in the location bar of the Safari web browser.", "confidence": "required", "tests": [{"type": "exact match", "command": "defaults -currentHost read ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField", "command_pass": "1", "command_fail": "0", "case_sensitive": "false"}], "fix": {"command": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool true"}, "undo": "defaults -currentHost write ~/Library/Preferences/com.apple.Safari ShowFullURLInSmartSearchField -bool false\""}, {"description": "The Mail application is currently closed.", "confidence": "required", "reference": "https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/defaults.1.html", "tests": [{"type": "exact match", "command": "ps ax | grep -c '/Applications/Mail.app/Contents/MacOS/Mail'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Mail\" ; sleep 1"}}, {"description": "Apple Mail does not automatically load remote content in e-mails.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/com.apple.mail-shared DisableURLLoading", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool true"}, "undo": "defaults write ~/Library/Preferences/com.apple.mail-shared DisableURLLoading -bool false"}, {"description": "Mail identified by Apple Mail as junk is sent to the Junk mailbox.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults -currentHost read ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "defaults -currentHost write ~/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail JunkMailBehavior -int 2"}}, {"description": "GPGMail is in use.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"manual": "1. Visit https://gpgtools.org/ and install GPG Suite. This tool can be used to encrypted and sign emails sent to other PGP users."}}, {"description": "New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail EncryptNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist EncryptNewEmailsByDefault -bool false"}, {"description": "New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail OptionallyEncryptDrafts", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist OptionallyEncryptDrafts -bool false"}, {"description": "New e-mails composed in Apple Mail are signed by GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SignNewEmailsByDefault", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SignNewEmailsByDefault -bool false"}, {"description": "Apple Mail automatically checks for updates to GPGMail.", "confidence": "required", "tests": [{"type": "exact match", "command": "apple_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "gpg_mail_in_use", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "defaults read ~/Library/Preferences/org.gpgtools.gpgmail SUEnableAutomaticChecks", "command_pass": 1, "command_fail": 0, "case_sensitive": false}], "fix": {"command": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool true"}, "undo": "defaults write ~/Library/Preferences/org.gpgtools.gpgmail.plist SUEnableAutomaticChecks -bool false"}, {"description": "The Google Chrome browser is currently closed.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "ps ax | grep -c 'Google Chrome.app'", "command_pass": 2, "case_sensitive": false}], "fix": {"command": "killall \"Google Chrome\" ; sleep 3"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through navigation errors.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' alternate_error_pages.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' alternate_error_pages.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through URL suggestions.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' search.suggest_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python  ./scripts/chrome_defaults.py write '{}' search.suggest_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through network prediction.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' net.network_prediction_options", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' net.network_prediction_options -int 2"}}, {"description": "All Google Chrome web browser profiles prevent information leakage by blocking security incidents reports to Google.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.extended_reporting_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.extended_reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have Google Safe Browsing enabled.", "confidence": "recommended", "reference": "https://en.wikipedia.org/wiki/Google_Safe_Browsing", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' safebrowsing.enabled", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' safebrowsing.enabled -bool true"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through spell-checking network services.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' spellcheck.use_spelling_service", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' spellcheck.use_spelling_service -bool false"}}, {"description": "All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "if [ -e \"$(ls ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats)\" ]; then echo \"True\"; exit; fi ; echo $(python ./scripts/chrome_defaults.py read ~/Library/Application\\ Support/Google/Chrome/Local\\ State user_experience_metrics.reporting_enabled)", "command_pass": ".*False$", "case_sensitive": "false"}], "fix": {"command": "rm ~/Library/Application\\ Support/Google/Chrome/Consent\\ To\\ Send\\ Stats ; python ./scripts/chrome_defaults.py write \"$(ls ~/Library/Application\\ Support/Google/Chrome/Local\\ State)\" user_experience_metrics.reporting_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles use the Do-Not-Track HTTP header.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' enable_do_not_track", "command_pass": "^(True\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' enable_do_not_track -bool true"}}, {"description": "All Google Chrome web browser profiles prevent pop-ups.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.popups", "command_pass": "^((The attribute 'profile.default_content_setting_values.popups' does not exist in '[^']+'\\.\\n?)|(None\\n?))+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py delete '{}' profile.default_content_setting_values.popups"}}, {"description": "All Google Chrome web browser profiles prevent geolocation by websites.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.geolocation", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.geolocation -int 2"}}, {"description": "All Google Chrome web browser profiles block unsandboxed plug-in software.", "confidence": "recommended", "reference": "http://superuser.com/questions/654595/adobe-flash-player-ppapi-vs-npapi-in-google-chrome", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.default_content_setting_values.ppapi_broker", "command_pass": "^(2\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.default_content_setting_values.ppapi_broker -int 2"}}, {"description": "All Google Chrome web browser profiles prevent filling personal information into forms automatically.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' autofill.enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' autofill.enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Password Manager.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' profile.password_manager_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' profile.password_manager_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' credentials_enable_autosignin", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' credentials_enable_autosignin -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled Google CloudPrint.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' local_discovery.notifications_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' local_discovery.notifications_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles block Flash cookies.", "confidence": "required", "reference": "https://en.wikipedia.org/wiki/Local_shared_object", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.clear_lso_data_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.clear_lso_data_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.", "confidence": "required", "reference": "http://www.newtriks.com/2012/12/01/how-to-disable-the-chrome-pepper-flash-player/", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' browser.pepper_flash_settings_enabled", "command_pass": "^(False\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py write '{}' browser.pepper_flash_settings_enabled -bool false"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Shockwave Flash'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.", "confidence": "required", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Adobe Flash Player'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} ./scripts/chrome_flash.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Native Client plug-in.", "confidence": "required", "reference": "https://developer.chrome.com/native-client", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Native Client'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_nativeclient.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "regex match", "command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' plugins.plugins_list", "command_pass": "^(\\[[^\\[]+'enabled': False, 'name': 'Widevine Content Decryption Module'[^\\]]+\\]\\n?)+$", "case_sensitive": "false"}], "fix": {"command": "find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} bash ./scripts/chrome_widevine.sh '{}'"}}, {"description": "All Google Chrome web browser profiles have enabled the uBlock Origin extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.cjpalhdlnbpafiamejdnhcphjbkeiagm.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the Ghostery extension.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.mlomiejdfkolichcflejclcbmpeaniij.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "All Google Chrome web browser profiles have enabled the ScriptSafe extension.", "confidence": "experimental", "tests": [{"type": "exact match", "command": "chrome_is_installed", "command_pass": 0, "case_sensitive": false}, {"type": "exact match", "command": "DISABLEREASONS=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.disable_reasons | grep -v \"does not exist\" | grep -v \"not found\") ; if [[ -n $DISABLEREASONS ]] ; then echo \"False\" ; exit ; fi ; BADSTATE=$(find ~/Library/Application\\ Support/Google/Chrome -name \"Preferences\" -maxdepth 2 | grep -v \"Guest Profile\" | grep -v \"System Profile\" | xargs -I{} python ./scripts/chrome_defaults.py read '{}' extensions.settings.oiigbmnaadbkfbmpbfijlflahbdbdgdf.state | grep -v \"1\") ; if [[ -n $BADSTATE ]] ; then echo \"False\" ; fi ; echo \"True\" ;", "command_pass": "True", "case_sensitive": "false"}], "fix": {"manual": "1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.\n2. Select \"Add to Chrome\".\n3. Complete any required follow-up steps as instructed on the screen."}}, {"description": "Google Chrome is the default web browser.", "confidence": "recommended", "tests": [{"type": "exact match", "command": "VERSIONER_PERL_PREFER_32_BIT=true perl -MMac::InternetConfig -le 'print +(GetICHelper \"http\")[1]'", "command_pass": "Google Chrome", "case_sensitive": "false"}], "fix": {"manual": "1. Install Google Chrome if not already installed.\n2. Open System Preferences.\n3. Select \"General\".\n4. Under \"Default web browser\", select \"Google Chrome\"."}}, {"description": "OSX/Keydnap malware is not present.", "confidence": "required", "reference": "http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/", "tests": [{"type": "exact match", "command": "if [ -e \"/Applications/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_fail": 1, "case_sensitive": false}, {"type": "exact match", "command": "if [ -e \"/Library/Application Support/com.apple.iCloud.sync.daemon/\" ] ; then echo 1 ; else echo 0 ; fi", "command_pass": 0, "command_fail": 1, "case_sensitive": false}], "fix": {"manual": "1. One or more of the files associated with the OSX/Keydnap malware was found. Please report this to the authors of osx-config-check via GitHub (https://github.com/kristovatlas/osx-config-check) or Twitter (https://twitter.com/kristovatlas).\n2. Refer to this link: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/"}}]
\ No newline at end of file

From 4934b53d2313b5baaa471ac819a7b1fad9ac6ec4 Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Thu, 1 Sep 2016 17:14:18 -0400
Subject: [PATCH 42/43] update version number :-D

---
 app.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.py b/app.py
index 9677418..84d4f6d 100644
--- a/app.py
+++ b/app.py
@@ -19,7 +19,7 @@
 const.FIX_RECOMMENDED_BY_DEFAULT = True #TODO: command line flag
 const.FIX_EXPERIMENTAL_BY_DEFAULT = False #TODO: command line flag
 
-const.VERSION = "v0.0.0-alpha (rattata)"
+const.VERSION = "v1.0.0-alpha (pidgeotto)"
 
 const.API_FILENAME = './scripts/api.sh'
 

From 0294910a1af0a344e308bcbda61d7b9a3d4a548d Mon Sep 17 00:00:00 2001
From: Kristov Atlas <author@anonymousbitcoinbook.com>
Date: Thu, 1 Sep 2016 17:15:10 -0400
Subject: [PATCH 43/43] update sample output in README

---
 README.md | 370 +++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 253 insertions(+), 117 deletions(-)

diff --git a/README.md b/README.md
index 0761c92..9353ccf 100644
--- a/README.md
+++ b/README.md
@@ -49,131 +49,267 @@ OPTIONS:
 
 ```bash
 $ python app.py
-CHECK #1: The System Preferences application is currently closed.... PASSED!
-CHECK #2: Current user is a non-admin account. (Create a new account if this fails!)... PASSED!
-CHECK #3: The OSX application firewall is enabled (system-wide).... PASSED!
-CHECK #4: The OSX application firewall is enabled (current user only).... PASSED!
-CHECK #5: A password is required to wake the computer from sleep or screen saver (system-wide).... PASSED!
-CHECK #6: A password is required to wake the computer from sleep or screen saver (current user only).... PASSED!
-CHECK #7: There is no delay between starting the screen saver and locking the machine (system-wide).... PASSED!
-CHECK #8: There is no delay between starting the screen saver and locking the machine (current user only).... PASSED!
-CHECK #9: Logging is enabled for the operating system.... PASSED!
-CHECK #10: Homebrew analytics are disabled. (NOTE: Fix requires you to login/logout.)... PASSED!
-CHECK #11: Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)... PASSED!
-CHECK #12: Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)... PASSED!
-CHECK #13: Automatic whitelisting of Apple-signed applications for firewall is disabled (system-wide).... PASSED!
-CHECK #14: Automatic whitelisting of Apple-signed applications for firewall is disabled (current user only).... PASSED!
-CHECK #15: Captive portal for connecting to new networks is disabled to prevent MITM attacks.... PASSED!
-CHECK #16: OpenSSL is up-to-date.... PASSED!
-CHECK #17: Hidden files are displayed in Finder.... PASSED!
-CHECK #18: All application software is currently up to date.... PASSED!
-The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password below. The command to be executed is: 'sudo softwareupdate --schedule | grep 'Automatic check is on''
-CHECK #19: Automatic check for software updates is enabled.... PASSED!
-CHECK #20: GateKeeper protection against untrusted applications is enabled.... PASSED!
-The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password below. The command to be executed is: 'sudo defaults read /Library/Preferences/com.apple.Bluetooth ControllerPowerState'
-CHECK #21: Bluetooth is disabled.... FAILED!
-    Apply the following EXPERIMENTAL  fix? This will execute this command:
-        'defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued' [y/N]
-CHECK #22: The infrared receiver is disabled.... PASSED!
-CHECK #23: AirDrop file sharing is disabled.... PASSED!
-CHECK #24: File sharing is disabled.... PASSED!
-CHECK #25: Printer sharing is disabled.... PASSED!
-The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password below. The command to be executed is: 'sudo systemsetup -getremotelogin'
-CHECK #26: Remote login is disabled.... PASSED!
-CHECK #27: Remote Management is disabled.... PASSED!
-The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password below. The command to be executed is: 'sudo systemsetup -getremoteappleevents'
-CHECK #28: Remote Apple events are disabled.... PASSED!
-CHECK #29: Internet Sharing is disabled on all network interfaces.... PASSED!
-The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password below. The command to be executed is: 'sudo systemsetup getwakeonnetworkaccess'
-CHECK #30: Wake on Network Access feature is disabled.... PASSED!
-The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password below. The command to be executed is: 'sudo systemsetup getusingnetworktime'
-CHECK #31: Automatic setting of time and date is disabled.... PASSED!
-CHECK #32: IPv6 is disabled on all network interfaces.... PASSED!
-CHECK #33: An administrator password is required to change system-wide preferences.... PASSED!
-CHECK #34: Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)... PASSED!
-CHECK #35: The File Vault key is destroyed when going to standby mode.... PASSED!
-CHECK #36: The system will store a copy of memory to persistent storage, and will remove power to memory.... PASSED!
-CHECK #37: git is up to date or is not installed... PASSED!
-CHECK #38: Apple Push Notifications are disabled.... PASSED!
-CHECK #39: Google DNS servers are used by default on all network interfaces.... PASSED!
-CHECK #40: The curl utility is up to date or absent from the system.... PASSED!
-CHECK #41: FileVault file system encryption is enabled.... PASSED!
-CHECK #42: FileVault file system encryption is enabled at the root directory.... PASSED!
-CHECK #43: The idle timer for screen saver activation is set to 10 minutes or less.... PASSED!
-CHECK #44: The Safari application is currently closed.... PASSED!
-CHECK #45: Safari will not auto-fill credit card data.... PASSED!
-CHECK #46: Safari will not auto-fill your contact data.... PASSED!
-CHECK #47: Safari will not auto-fill miscellaneous forms.... PASSED!
-CHECK #48: Safari will not auto-fill usernames or passwords.... PASSED!
-CHECK #49: Files downloaded in Safari are not automatically opened.... PASSED!
-CHECK #50: Cookies and local storage are always blocked in Safari.... PASSED!
-CHECK #51: Safari extensions are disabled.... PASSED!
-CHECK #52: The Safari web browser will warn when visiting known fraudulent websites.... PASSED!
-CHECK #53: JavaScript disabled in the Safari web browser.... PASSED!
-CHECK #54: JavaScript disabled in the Safari web browser (Legacy version).... PASSED!
-CHECK #55: Pop-up windows are blocked in the Safari web browser.... PASSED!
-CHECK #56: Pop-up windows are blocked in the Safari web browser (Legacy version).... PASSED!
-CHECK #57: The WebGL plug-in is disabled in the Safari web browser.... PASSED!
-CHECK #58: Plug-ins are disabled in the Safari web browser.... PASSED!
-CHECK #59: Plug-ins are disabled in the Safari web browser (Legacy version).... PASSED!
-CHECK #60: Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.... PASSED!
-CHECK #61: The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.... PASSED!
-CHECK #62: The Java plug-in is disabled in the Safari web browser.... PASSED!
-CHECK #63: The Java plug-in is disabled in the Safari web browser (Legacy version).... PASSED!
-CHECK #64: The Safari web browser is configured to treat SHA-1 certificates as insecure.... PASSED!
-CHECK #65: The Safari web browser will not pre-load webpages that rank highly as search matches.... PASSED!
-CHECK #66: The Safari web browser will not include search engine suggestions for text typed in the location bar.... PASSED!
-CHECK #67: The Safari web browser's search suggestions are disabled.... PASSED!
-CHECK #68: The Safari web browser uses the Do-Not-Track HTTP header.... PASSED!
-CHECK #69: PDF viewing is disabled in the Safari web browser.... PASSED!
-CHECK #70: Full website addresses are disabled in the location bar of the Safari web browser.... PASSED!
-CHECK #71: The Mail application is currently closed.... PASSED!
-CHECK #72: Apple Mail does not automatically load remote content in e-mails.... PASSED!
-CHECK #73: Mail identified by Apple Mail as junk is sent to the Junk mailbox.... PASSED!
-CHECK #74: New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.... PASSED!
-CHECK #75: New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.... PASSED!
-CHECK #76: New e-mails composed in Apple Mail are signed by GPGMail.... PASSED!
-CHECK #77: Apple Mail with automatically check for updates to GPGMail.... PASSED!
-CHECK #78: The Google Chrome browser is currently closed.... PASSED!
-CHECK #79: All Google Chrome web browser profiles prevent information leakage through navigation errors.... PASSED!
-CHECK #80: All Google Chrome web browser profiles prevent information leakage through URL suggestions.... PASSED!
-CHECK #81: All Google Chrome web browser profiles prevent information leakage through network prediction.... PASSED!
-CHECK #82: All Google Chrome web browser profiles prevent information leakage through report security incidents to Google.... PASSED!
-CHECK #83: All Google Chrome web browser profiles have Google Safe Browsing enabled.... PASSED!
-CHECK #84: All Google Chrome web browser profiles prevent information leakage through spell-checking network services.... PASSED!
-CHECK #85: All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.... PASSED!
-CHECK #86: All Google Chrome web browser profiles use the Do-Not-Track HTTP header.... PASSED!
-CHECK #87: All Google Chrome web browser profiles prevent pop-ups.... PASSED!
-CHECK #88: All Google Chrome web browser profiles prevent geolocation by websites.... PASSED!
-CHECK #89: All Google Chrome web browser profiles block unsandboxed plug-in software.... PASSED!
-CHECK #90: All Google Chrome web browser profiles prevent filling personal information into forms automatically.... PASSED!
-CHECK #91: All Google Chrome web browser profiles have disabled Password Manager.... PASSED!
-CHECK #92: All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.... PASSED!
-CHECK #93: All Google Chrome web browser profiles have disabled Google CloudPrint.... PASSED!
-CHECK #94: All Google Chrome web browser profiles have disabled Flash cookies.... PASSED!
-CHECK #95: All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.... PASSED!
-CHECK #96: All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.... PASSED!
-CHECK #97: All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.... PASSED!
-CHECK #98: All Google Chrome web browser profiles have disabled the Native Client plug-in.... PASSED!
-CHECK #99: All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.... PASSED!
-CHECK #100: All Google Chrome web browser profiles have enabled the uBlock Origin extension.... PASSED!
-CHECK #100: All Google Chrome web browser profiles have enabled the uBlock Origin extension.... PASSED!
-CHECK #101: All Google Chrome web browser profiles have enabled the Ghostery extension.... PASSED!
-CHECK #102: All Google Chrome web browser profiles have enabled the ScriptSafe extension.... PASSED!
-CHECK #103: Google Chrome is the default web browser.... PASSED!
-Wrote results to '~/Documents/osx-config-check_2016-07-08_17-43-50.log'.
+------------------------------------------------------------------------------------------
+osx-config-check v1.0.0-alpha (pidgeotto)
+Download the latest copy of this tool at: https://github.com/kristovatlas/osx-config-check
+Report bugs/issues:
+	* GitHub: https://github.com/kristovatlas/osx-config-check/issues
+	* Twitter: https://twitter.com/kristovatlas
+------------------------------------------------------------------------------------------
+
+
+CHECK #1: Homebrew is installed.... PASSED!
+
+CHECK #2: Binaries installed to /usr/local/bin are preferred over those in /usr/bin (Note: If this check does not pass, other tests will fail)... PASSED!
+
+CHECK #3: Java Runtime Environment is up to date.... PASSED!
+
+CHECK #4: The System Preferences application is currently closed.... PASSED!
+
+CHECK #5: Current user is a non-admin account.... PASSED!
+
+CHECK #6: The OSX application firewall is enabled (system-wide).... PASSED!
+
+CHECK #7: The OSX application firewall is enabled (current user only).... PASSED!
+
+CHECK #8: A password is required to wake the computer from sleep or screen saver (system-wide).... PASSED!
+
+CHECK #9: A password is required to wake the computer from sleep or screen saver (current user only).... PASSED!
+
+CHECK #10: There is no delay between starting the screen saver and locking the machine (system-wide).... PASSED!
+
+CHECK #11: There is no delay between starting the screen saver and locking the machine (current user only).... PASSED!
+
+CHECK #12: Logging is enabled for the operating system.... PASSED!
+
+CHECK #13: Homebrew analytics are disabled.... PASSED!
+
+CHECK #14: Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (system-wide)... PASSED!
+
+CHECK #15: Stealth mode is enabled for OSX: Computer does not respond to ICMP ping requests or connection attempts from a closed TCP/UDP port. (current user only)... PASSED!
+
+CHECK #16: Automatic whitelisting of Apple-signed applications through the firewall is disabled (system-wide).... FAILED!
+	Apply the following  fix? This will execute  this command:
+		'defaults -currentHost write /Library/Preferences/com.apple.alf allowsignedenabled -bool false' [Y/n] y
+	Attempting configuration fix with elevated privileges; you may be prompted for your OS X login password...
+Password:
+
+CHECK #16: Automatic whitelisting of Apple-signed applications through the firewall is disabled (system-wide).... PASSED!
+
+CHECK #17: Automatic whitelisting of Apple-signed applications through the firewall is disabled (current user only).... PASSED!
+
+CHECK #18: Captive portal for connecting to new networks is disabled to prevent MITM attacks.... PASSED!
+
+CHECK #19: OpenSSL is up to date.... PASSED!
+
+CHECK #20: Hidden files are displayed in Finder.... PASSED!
+
+CHECK #21: All application software is currently up to date.... PASSED!
+The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password  below. The command to be executed is: 'sudo softwareupdate --schedule | grep -i 'Automatic check is on''
+
+CHECK #22: Automatic check for software updates is enabled.... PASSED!
+
+CHECK #23: GateKeeper protection against untrusted applications is enabled.... PASSED!
+
+CHECK #24: Bluetooth is disabled.... FAILED!
+	Apply the following EXPERIMENTAL  fix? This will execute  this command:
+		'defaults write /Library/Preferences/com.apple.Bluetooth ControllerPowerState -bool false; killall -HUP blued' [y/N] n
+
+CHECK #25: The infrared receiver is disabled.... PASSED!
+
+CHECK #26: AirDrop file sharing is disabled.... PASSED!
+
+CHECK #27: File sharing is disabled.... PASSED!
+
+CHECK #28: Printer sharing is disabled.... PASSED!
+The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password  below. The command to be executed is: 'sudo systemsetup -getremotelogin'
+
+CHECK #29: Remote login is disabled.... PASSED!
+
+CHECK #30: Remote Management is disabled.... PASSED!
+The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password  below. The command to be executed is: 'sudo systemsetup -getremoteappleevents'
+
+CHECK #31: Remote Apple events are disabled.... PASSED!
+
+CHECK #32: Internet Sharing is disabled on all network interfaces.... PASSED!
+The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password  below. The command to be executed is: 'sudo systemsetup getwakeonnetworkaccess'
+
+CHECK #33: Wake on Network Access feature is disabled.... PASSED!
+The next configuration check requires elevated privileges; you may be prompted for your current OS X user's password  below. The command to be executed is: 'sudo systemsetup getusingnetworktime'
+
+CHECK #34: Automatic setting of time and date is disabled.... PASSED!
+
+CHECK #35: IPv6 is disabled on all network interfaces.... PASSED!
+
+CHECK #36: An administrator password is required to change system-wide preferences.... PASSED!
+
+CHECK #37: Documents are not stored to iCloud Drive by default. (May be mistaken if iCloud is disabled)... PASSED!
+
+CHECK #38: The File Vault key is protected when going to standby mode.... PASSED!
+
+CHECK #39: The system will store a copy of memory to persistent storage, and will remove power to memory.... PASSED!
+
+CHECK #40: git is up to date or is not installed... PASSED!
+
+CHECK #41: Apple Push Notifications are disabled.... PASSED!
+
+CHECK #42: Google DNS servers are used by default on all network interfaces.... PASSED!
+
+CHECK #43: The curl utility is up to date or absent from the system.... PASSED!
+
+CHECK #44: FileVault file system encryption is enabled.... PASSED!
+
+CHECK #45: FileVault file system encryption is enabled at the root directory.... PASSED!
+
+CHECK #46: The idle timer for screen saver activation is set to 10 minutes or less.... PASSED!
+
+CHECK #47: System Integrity Protection (SIP) is enabled.... PASSED!
+
+CHECK #48: The Safari application is currently closed.... PASSED!
+
+CHECK #49: Safari will not auto-fill credit card data.... PASSED!
+
+CHECK #50: Safari will not auto-fill your contact data.... PASSED!
+
+CHECK #51: Safari will not auto-fill miscellaneous forms.... PASSED!
+
+CHECK #52: Safari will not auto-fill usernames or passwords.... PASSED!
+
+CHECK #53: Files downloaded in Safari are not automatically opened.... PASSED!
+
+CHECK #54: Cookies and local storage are always blocked in Safari.... PASSED!
+
+CHECK #55: Safari extensions are disabled.... PASSED!
+
+CHECK #56: The Safari web browser will warn when visiting known fraudulent websites.... PASSED!
+
+CHECK #57: JavaScript is disabled in the Safari web browser.... PASSED!
+
+CHECK #58: JavaScript is disabled in the Safari web browser (Legacy version).... PASSED!
+
+CHECK #59: Pop-up windows are blocked in the Safari web browser.... PASSED!
+
+CHECK #60: Pop-up windows are blocked in the Safari web browser (Legacy version).... PASSED!
+
+CHECK #61: The WebGL plug-in is disabled in the Safari web browser.... PASSED!
+
+CHECK #62: Plug-ins are disabled in the Safari web browser.... PASSED!
+
+CHECK #63: Plug-ins are disabled in the Safari web browser (Legacy version).... PASSED!
+
+CHECK #64: Plug-ins are blocked by default in the Safari web browser unless a site is explicitly added to a list of allowed sites.... PASSED!
+
+CHECK #65: The Java plug-in for Safari web browser is blocked unless a site is explicitly added to a list of allowed sites.... PASSED!
+
+CHECK #66: The Java plug-in is disabled in the Safari web browser.... PASSED!
+
+CHECK #67: The Java plug-in is disabled in the Safari web browser (Legacy version).... PASSED!
+
+CHECK #68: The Safari web browser is configured to treat SHA-1 certificates as insecure.... PASSED!
+
+CHECK #69: The Safari web browser will not pre-load webpages that rank highly as search matches.... PASSED!
+
+CHECK #70: The Safari web browser will not include search engine suggestions for text typed in the location bar.... PASSED!
+
+CHECK #71: The Safari web browser's search suggestions are disabled.... PASSED!
+
+CHECK #72: The Safari web browser uses the Do-Not-Track HTTP header.... PASSED!
+
+CHECK #73: PDF viewing is disabled in the Safari web browser.... PASSED!
+
+CHECK #74: Full website addresses are displayed in the location bar of the Safari web browser.... PASSED!
+
+CHECK #75: The Mail application is currently closed.... PASSED!
+
+CHECK #76: Apple Mail does not automatically load remote content in e-mails.... PASSED!
+
+CHECK #77: Mail identified by Apple Mail as junk is sent to the Junk mailbox.... PASSED!
+
+CHECK #78: GPGMail is in use.... PASSED!
+
+CHECK #79: New e-mails composed in Apple Mail are encrypted by GPGMail if the receiver's PGP is present in the keychain.... PASSED!
+
+CHECK #80: New e-mails composed in Apple Mail and saved as drafts are encrypted by GPGMail.... PASSED!
+
+CHECK #81: New e-mails composed in Apple Mail are signed by GPGMail.... PASSED!
+
+CHECK #82: Apple Mail automatically checks for updates to GPGMail.... PASSED!
+
+CHECK #83: The Google Chrome browser is currently closed.... FAILED!
+	Apply the following  fix? This will execute  this command:
+		'killall "Google Chrome" ; sleep 3' [Y/n] y
+
+CHECK #83: The Google Chrome browser is currently closed.... PASSED!
+
+CHECK #84: All Google Chrome web browser profiles prevent information leakage through navigation errors.... PASSED!
+
+CHECK #85: All Google Chrome web browser profiles prevent information leakage through URL suggestions.... PASSED!
+
+CHECK #86: All Google Chrome web browser profiles prevent information leakage through network prediction.... PASSED!
+
+CHECK #87: All Google Chrome web browser profiles prevent information leakage by blocking security incidents reports to Google.... PASSED!
+
+CHECK #88: All Google Chrome web browser profiles have Google Safe Browsing enabled.... PASSED!
+
+CHECK #89: All Google Chrome web browser profiles prevent information leakage through spell-checking network services.... PASSED!
+
+CHECK #90: All Google Chrome web browser profiles prevent information leakage through reporting usage statistics to Google.... PASSED!
+
+CHECK #91: All Google Chrome web browser profiles use the Do-Not-Track HTTP header.... PASSED!
+
+CHECK #92: All Google Chrome web browser profiles prevent pop-ups.... PASSED!
+
+CHECK #93: All Google Chrome web browser profiles prevent geolocation by websites.... PASSED!
+
+CHECK #94: All Google Chrome web browser profiles block unsandboxed plug-in software.... PASSED!
+
+CHECK #95: All Google Chrome web browser profiles prevent filling personal information into forms automatically.... PASSED!
+
+CHECK #96: All Google Chrome web browser profiles have disabled Password Manager.... PASSED!
+
+CHECK #97: All Google Chrome web browser profiles have disabled automatic sign-in for stored passwords.... PASSED!
+
+CHECK #98: All Google Chrome web browser profiles have disabled Google CloudPrint.... PASSED!
+
+CHECK #99: All Google Chrome web browser profiles block Flash cookies.... PASSED!
+
+CHECK #100: All Google Chrome web browser profiles have disabled the Chrome Pepper Flash Player plug-in.... PASSED!
+
+CHECK #101: All Google Chrome web browser profiles have disabled the Adobe Shockwave Flash plug-in.... PASSED!
+
+CHECK #102: All Google Chrome web browser profiles have disabled the Adobe Flash Player plug-in.... PASSED!
+
+CHECK #103: All Google Chrome web browser profiles have disabled the Native Client plug-in.... PASSED!
+
+CHECK #104: All Google Chrome web browser profiles have disabled the Widevine Content Decryption Module plug-in.... PASSED!
+
+CHECK #105: All Google Chrome web browser profiles have enabled the uBlock Origin extension.... FAILED!
+
+CHECK #106: All Google Chrome web browser profiles have enabled the Ghostery extension.... FAILED!
+
+CHECK #107: All Google Chrome web browser profiles have enabled the ScriptSafe extension.... FAILED!
+
+CHECK #108: Google Chrome is the default web browser.... PASSED!
+
+CHECK #109: OSX/Keydnap malware is not present.... PASSED!
+Wrote results to '~/Documents/osx-config-check_2016-09-01_17-09-36.log'.
 ==========================
-2 tests could not be automatically fixed, but manual instructions are available. Please manually remediate these problems and re-run the tool:
-TEST #100: All Google Chrome web browser profiles have enabled the uBlock Origin extension.
+3 tests could not be automatically fixed, but manual instructions are available. Please manually remediate these problems and re-run the tool:
+TEST #105: All Google Chrome web browser profiles have enabled the uBlock Origin extension.
 1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm in Google Chrome.
 2. Select "Add to Chrome".
 3. Complete any required follow-up steps as instructed on the screen.
 ==========================
-TEST #101: All Google Chrome web browser profiles have enabled the Ghostery extension.
+TEST #106: All Google Chrome web browser profiles have enabled the Ghostery extension.
 1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/ghostery/mlomiejdfkolichcflejclcbmpeaniij in Google Chrome.
 2. Select "Add to Chrome".
 3. Complete any required follow-up steps as instructed on the screen.
 ==========================
+TEST #107: All Google Chrome web browser profiles have enabled the ScriptSafe extension.
+1. For each of your Chrome profiles, visit https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf in Google Chrome.
+2. Select "Add to Chrome".
+3. Complete any required follow-up steps as instructed on the screen.
+==========================
 ```
 
 ## Troubleshooting
@@ -187,7 +323,7 @@ If you receive an error message referencing these terms, the user you are curren
 This tool encourages users to use DNS servers run by the Google corporation. This can break some wi-fi networks that use "active portals" to login, like those found at cafes, airports, etc. If you're having trouble connecting to a wi-fi network after using this tool, please use the "dns_helper" tool included. From the terminal application, run:
 
     bash dns_helper.sh
-    
+
 And follow the instructions on the screen carefully.
 
 ## Contributing