README.md

nsad

A tool to disable OS X kernel extensions, based on the NSA guide to protecting yourself from the NSA.

To run on startup:

$ mv nsad /usr/local/bin
$ mv com.cmendenhall.nsad.plist /System/Library/LaunchDaemons

To restore disabled services after activated:

$ nsad stop

To re-block services:

$ nsad start

com.cmendenhall.nsad.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>com.cmendenhall.nsad</string>
    <key>ProgramArguments</key>
    <array>
      <string>/usr/local/bin/nsad</string>
      <string>start</string>
    </array>
    <key>GroupName</key>
    <string>wheel</string>
    <key>UserName</key>
    <string>root</string>
    <key>Nice</key>
    <integer>1</integer>
    <key>StandardErrorPath</key>
    <string>/var/log/nsad.log</string>
    <key>StandardOutPath</key>
    <string>/var/log/nsad.log</string>
  </dict>
</plist>

nsad

#! /bin/bash

daemons=(
  com.apple.blued.plist
  com.apple.nis.ypbind.plist
  com.apple.RemoteDesktop.PrivilegeProxy.plist
  com.apple.RFBEventHelper.plist
)

set_daemons() {
  for daemon in "${daemons[@]}"
  do
    echo "$1 ${daemon}"
    launchctl $1 -w "/System/Library/LaunchDaemons/${daemon}"
  done
}

agents=(
  com.apple.RemoteDesktop.plist
)

set_agents() {
  for agent in "${agents[@]}"
  do
    echo "$1 ${agent}"
    launchctl $1 -w "/System/Library/LaunchAgents/${agent}"
  done
}

setuid_guid=(
  /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
  /sbin/mount_nfs
  /usr/bin/at
  /usr/bin/atq
  /usr/bin/atrm
  /usr/bin/chpass
  /usr/bin/crontab
  /usr/bin/ipcs
  /usr/bin/newgrp
  /usr/sbin/postdrop
  /usr/sbin/postqueue
  /usr/bin/procmail
  /usr/bin/wall
  /usr/bin/write
  /bin/rcp
  /usr/bin/rlogin
  /usr/bin/rsh
  /usr/lib/sa/sadc
  /usr/sbin/scselect
  /usr/sbin/traceroute
  /usr/sbin/traceroute6
)

disable_setuid_guid() {
  for bin in "${setuid_guid[@]}"
  do
    chmod ug-s "${bin}"
  done
}

bluetooth_kexts=(
  IOBluetoothFamily.kext
  IOBluetoothHIDDriver.kext
)

disable_file() {
  file=$1
  mv "${file}" "${file}.disabled"
}

enable_file() {
  file=$1
  mv "${file}.disabled" "${file}"
}

disable_dir() {
  dir=$1
  mv "${dir}" "${dir}.disabled"
}

enable_dir() {
  dir=$1
  mv "${dir}.disabled" "${dir}"
}

disable_bluetooth() {
  for kext in "${bluetooth_kexts[@]}"
  do
    kextunload "/System/Library/Extensions/${kext}"
    disable_file "/System/Library/Extensions/${kext}"
  done
  touch /System/Library/Extensions
}

enable_bluetooth() {
  for kext in "${bluetooth_kexts[@]}"
  do
    enable_file "/System/Library/Extensions/${kext}"
    kextload "/System/Library/Extensions/${kext}"
  done
  touch /System/Library/Extensions
}

isight_kexts=(
  AppleCameraInterface.kext
  Apple_iSight.kext
  IOUSBFamily.kext/Contents/PlugIns/AppleUSBVideoSupport.kext
)

disable_isight() {
  kextunload /System/Library/Extensions/AppleCameraInterface.kext
  touch /System/Library/Extensions
  disable_file "/System/Library/Extensions/AppleCameraInterface.kext"
  disable_dir "/System/Library/Quicktime/QuickTimeUSBVDCDigitizer.component"
}

enable_isight() {
  enable_file "/System/Library/Extensions/AppleCameraInterface.kext"
  kextload /System/Library/Extensions/AppleCameraInterface.kext
  touch /System/Library/Extensions
  enable_dir "/System/Library/Quicktime/QuickTimeUSBVDCDigitizer.component"
}

disable_ir() {
  kextunload /System/Library/Extensions/AppleIRController.kext
  touch /System/Library/Extensions
  disable_dir "/System/Library/Extensions/AppleIRController.kext"
}

enable_ir() {
  enable_dir "/System/Library/Extensions/AppleIRController.kext"
  kextload /System/Library/Extensions/AppleIRController.kext
  touch /System/Library/Extensions
}

if [ $1 == start ]
then
  set_daemons unload
  set_agents unload
  disable_setuid_guid
  disable_bluetooth
  disable_isight
  disable_ir
fi

if [ $1 == stop ]
then
  set_daemons load
  set_agents load
  enable_bluetooth
  enable_isight
  enable_ir
fi