MacOS Config

Do NOT install Flash, Java, Adobe Reader, Silverlight etc

Many services (including Netflix) now work with HTML5 and those are security risks. Run in a VM if absolutely needed.

Extensions

1Password
Wipr Content Blocker
Cascadea Custom styles for websites

Settings

Disable "Open 'safe' files after downloading", don't need anything to open automatically
Disable AutoFill, use 1Password for that
Set Search Engine to DuckDuckGo
Uncheck "Include Safari Suggestions", "Enable Quick Website Search" and "Preload Top Hit"
Enable "Show Develop menu"

Develop menu

Enable "Experimental Features -> Automatic HTTPS Ugrade"
Disable "Experimental Features -> WebRTC mDNS ICE Candidates"

Disable Hyperlink Auditing Beacon

The <a ping> attribute pings a website when clicking on a link, used for tracking.

Safari:

defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false

Safari Preview:

defaults write com.apple.SafariTechnologyPreview com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false

Disable Mouse Acceleration

defaults write .GlobalPreferences com.apple.mouse.scaling -1

Cloudflare DNS

Fast & Private.

Under "System Preferences -> Network -> (Adapter Name) -> Advanced -> DNS" add the following DNS Servers:

1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001

Privacy Options

Under "System Preferences -> Securiy & Privacy -> Privacy"

Disable "Analytics & Improvements -> Share Mac Analytics/Improve Siri & Dictation/Share iCloud Analytics"
Disable "Advertising -> Limit Ad Tracking" (Click on "Reset Advertising Identifier" while we're at it)

Homebrew: Disable Analytics and increase security

In our shell config: (.zshrc/.bashrc etc)

export HOMEBREW_NO_ANALYTICS=1
export HOMEBREW_NO_INSECURE_REDIRECT=1
export HOMEBREW_CASK_OPTS=--require-sha

Lock screen when screensaver starts

defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0

Show filename extensions

defaults write NSGlobalDomain AppleShowAllExtensions -bool true

Disable Crash Reporter dialog

defaults write com.apple.CrashReporter DialogType none

Sudo with TouchID

Edit /etc/pam.d/sudo and add to following line near the top:

auth sufficient pam_tid.so

Note that this will break sudo when SSH'ing to your machine, can't TouchID from a remote machine.

Stop execution user's shell evironment when using sudo

Sudo command exports your User's home directory by default, which will execute the home user's .bashrc/.zshrc and other dotfiles as root. This makes it easier for a malware to execute commands as root. Comment out the following line in /ets/sudoers:

Defaults env_keep += "HOME MAIL"

To keep the convenience of having your own home directory as root, add to /var/root/.bashrc:

export HOME=/Users/username

Disable automatically launching Captive Portal page

Automatically launching the Captive Portal Assistant could lead to a malicious network redirecting to a site with malware. Can still access the captive portal by using a browser and going to a random unsecure HTTP page.

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false

More Recent OpenSSL

Apple is using their own TLS Library, and OpenSSL is deprecated, to get a more up to date version to increase security: brew install openssl

Add to your shell config:

export PATH="/usr/local/opt/openssl/bin:${PATH}"
export LDFLAGS="-L/usr/local/opt/openssl/lib"
export CPPFLAGS="-I/usr/local/opt/openssl/include"

Install GnuPG

Most likely needed for software development.

brew install gnupg

Download recommended defaults:

curl -o ~/.gnupg/gpg.conf https://raw.githubusercontent.com/drduh/config/master/gpg.conf

Increase maximum open file descriptors

When using your machine for development you'll run into this problem eventually.

Create a file /Library/LaunchDaemons/limit.maxfiles.plist and add the contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
          "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>limit.maxfiles</string>
    <key>ProgramArguments</key>
    <array>
      <string>launchctl</string>
      <string>limit</string>
      <string>maxfiles</string>
      <string>524288</string>
      <string>524288</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>ServiceIPC</key>
    <false/>
  </dict>
</plist>

Change ownership of the file:

sudo chmod 600 /Library/LaunchDaemons/limit.maxfiles.plist
sudo chown root /Library/LaunchDaemons/limit.maxfiles.plist

Load the file to enable it:

sudo launchctl load -w /Library/LaunchDaemons/limit.maxfiles.plist

Reboot and check if the limit is correctly applied with launchctl limit maxfiles

Disable some Metadata collection

Disable Quarantine storing metadata of inspected files:

sudo : >! ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

Disable collection of what you type: (collects even if suggestions are off)

rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*"
chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions
chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions

Disable QuickLook Metadata collection:

rm -rfv "~/Library/Application Support/Quick Look/*"
chmod -R 000 "~/Library/Application Support/Quick Look"
chflags -R uchg "~/Library/Application Support/Quick Look"

Disable Siri Analytics:

rm -rfv ~/Library/Assistant/SiriAnalytics.db
chmod -R 000 ~/Library/Assistant/SiriAnalytics.db
chflags -R uchg ~/Library/Assistant/SiriAnalytics.db

Kuret/Apps.md

Useful Apps