≡ Menu

How to secure and lock down Apple OS X 10.11 (El Capitan) with osxlockdown

Is there is an easy way to audit and lock down (secure) Apple OS X 10.11 (El Capitan) unix operating system?

Yes you can use the osxlockdown tool. It was built to audit, and remediate, security configuration settings on OS X 10.11 (El Capitan). However, this tool may disable functionality in the name of security. Make sure you backup your Macbook/pro/min in advance.

Download osxlockdown

Open the Terminal application and type the following commands:
$ cd
$ mkdir osxlockdown
$ cd osxlockdown
## wget need to be installed using brew ##
$ wget https://github.com/SummitRoute/osxlockdown/raw/master/osxlockdown
$ wget https://github.com/SummitRoute/osxlockdown/raw/master/commands.json

Sample outputs:

--2015-12-31 00:12:33--  https://github.com/SummitRoute/osxlockdown/raw/master/commands.json
Resolving github.com... 192.30.252.129
Connecting to github.com|192.30.252.129|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/SummitRoute/osxlockdown/master/commands.json [following]
--2015-12-31 00:12:35--  https://raw.githubusercontent.com/SummitRoute/osxlockdown/master/commands.json
Resolving raw.githubusercontent.com... 103.245.222.133
Connecting to raw.githubusercontent.com|103.245.222.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12463 (12K) [text/plain]
Saving to: 'commands.json'
 
commands.json                               100%[==========================================================================================>]  12.17K  --.-KB/s   in 0s
 
2015-12-31 00:12:36 (64.2 MB/s) - 'commands.json' saved [12463/12463]


If wget command not installed on Mac, try curl command to grab files:
$ curl -LO https://github.com/SummitRoute/osxlockdown/raw/master/osxlockdown
$ curl -LO https://github.com/SummitRoute/osxlockdown/raw/master/commands.json

Set permissions

Type the following command:
$ chmod +x osxlockdown

How do I check my OS X security settings?

Type the following command:
$ sudo ./osxlockdown
Sample outputs:

Fig.01: osxlockdown command output

Fig.01: osxlockdown command output

How do I secure and fix failed security settings?

You need to run the following command (again, this will secure the system, but will disable many things like AirDrop, Bluetooth, and so on):
$ sudo ./osxlockdown --remediate
Verify it again:
$ sudo ./osxlockdown

Other options

Type the following command:

$ ./osxlockdown --help
Usage of ./osxlockdown:
  -commands_file string
    	JSON file containing the commands and configuration (default "commands.json")
  -hide_passes
    	Disables printing the rules that passed
  -hide_summary
    	Disables printing the summary
  -remediate
    	Implements fixes for failed checks. WARNING: Beware this may break things.
References:
Share this tutorial on:
{ 3 comments… add one }
  • Chris December 31, 2015, 8:49 am

    This document assumes you have WGET installed on OSX, On my Mac with OSX El Capitan, this was not already installed. I installed it using the homebrew package manager.

    Thanks for the script! useful!

    • Vivek Gite December 31, 2015, 9:11 am

      Thanks for the heads up. The faq has been updated to include info about curl command.

  • Duncan January 28, 2016, 12:21 am

    the wget/curl command for the osxlockdown script is wrong, it’s missing the .go extension, it should be:

    $ curl -LO https://github.com/SummitRoute/osxlockdown/raw/master/osxlockdown.go

    However, it’s easier just to git clone the whole project (including the licence and README), which will create the target directory as well:

    $ git clone https://github.com/SummitRoute/osxlockdown

Security: Are you a robot or human?

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">


   Tagged with: , , ,