Mac OS Sicherheit & Privatsphäre / Forensics

22.06.2018, 23:04
Member
Avatar Laserpointa

Beiträge: 2176
#1 Mac OS hinterläßt viele Logs und auch Spuren ausserhalb des verschlüsselten Benutzerordners - aufmerksam geworden durch folgenden inzwischen uralten Bug von MacOS: https://objective-see.com/blog/blog_0x30.html

Bin ich auf folgendes Projekt gestossen:

>> https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README.md

Anbei einige sinnvolle Einstellungen:

# Download History alter Dateien anzeigen und löschen via http://osxdaily.com/2012/07/12/list-download-history-mac-os-x/
# To permanently disable this feature,clear the fileandmake it immutable via https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README.md#gatekeeper-and-xprotect

sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'
:>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2

# Quicklook Thumbnail Caching ausserhalb des Nutzerordners deaktivieren via https://objective-see.com/blog/blog_0x30.html
cd $TMPDIR/../C/com.apple.QuickLook.thumbnailcache
qlmanage -r disablecache

# Clear Finder Preferences via https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README.md#metadata-and-artifacts
defaults delete ~/Library/Preferences/com.apple.finder.plist FXDesktopVolumePositions
defaults delete ~/Library/Preferences/com.apple.finder.plist FXRecentFolders
defaults delete ~/Library/Preferences/com.apple.finder.plist RecentMoveAndCopyDestinations
defaults delete ~/Library/Preferences/com.apple.finder.plist RecentSearches
defaults delete ~/Library/Preferences/com.apple.finder.plist SGTRecentFileSearches

# macOS may collect sensitive information about what you type, even if user dictionary and suggestions are off. To remove them, and prevent them from being created again, use the following commands via https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README.md#metadata-and-artifacts
rm -rfv "~/Library/LanguageModeling/*" "~/Library/Spelling/*" "~/Library/Suggestions/*"
sudo chmod -R 000 ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions
sudo chflags -R uchg ~/Library/LanguageModeling ~/Library/Spelling ~/Library/Suggestions

# Additional metadata may exist in the following files:
~/Library/Containers/com.apple.appstore/Data/Library/Preferences/com.apple.commerce.knownclients.plist
~/Library/Preferences/com.apple.commerce.plist
~/Library/Preferences/com.apple.QuickTimePlayerX.plist

Expose hidden files and Library folder in Finder:
$ defaults write com.apple.finder AppleShowAllFiles -bool true
$ chflags nohidden ~/Library

Show all filename extensions (so that "Evil.jpg.app" cannot masquerade easily).
$ defaults write NSGlobalDomain AppleShowAllExtensions -bool true

Disable crash reporter (the dialog which appears after an application crashes and prompts to report the problem to Apple):
$ defaults write com.apple.CrashReporter DialogType none

Disable Bonjourmulticast advertisements:
$ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES

# Gamed Verbindungen deaktivieren, da nicht gespielt wird! via http://www.blog-it-solutions.de/mac-os-game-center-telefoniert/
launchctl unload -w /System/Library/LaunchAgents/com.apple.gamed.plist

# Automatische iCloud Speicherung von Dokumenten abschalten via http://www.heise.de/newsticker/meldung/OS-X-Tipp-Automatische-iCloud-Speicherung-von-Dokumenten-abschalten-2439183.html
defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false

# Firewall aktivieren und konfigurieren + StealthMode + Deny Incoming connections for all software via https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README.md#firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off

# Spotlight Suchen an Apple senden deaktivieren via https://github.com/drduh/macOS-Security-and-Privacy-Guide/blob/master/README.md#spotlight-suggestions
curl -O https://fix-macosx.com/fix-macosx.py
python fix-macosx.py

Hier sind einige interessante Mac OS Forensics Seiten mit Quellen von Logs:
https://davidkoepi.wordpress.com/category/mac-forensics/
http://dan3lmi.blogspot.com/2012/10/mac-os-x-forensics-artifacts.html
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
  • » Fun:
  • »
  • »
  • »
  • »