Is there is an easy way to audit and lock down (secure) Apple OS X 10.11 (El Capitan) unix operating system?

Yes you can use the osxlockdown tool. It was built to audit, and remediate, security configuration settings on OS X 10.11 (El Capitan). However, this tool may disable functionality in the name of security. Make sure you backup your Macbook/pro/min in advance.

Download osxlockdown

Open the Terminal application and type the following commands:
$ cd
$ mkdir osxlockdown
$ cd osxlockdown
## wget need to be installed using brew ##
$ wget
$ wget

Sample outputs:

--2015-12-31 00:12:33--
Connecting to||:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: [following]
--2015-12-31 00:12:35--
Connecting to||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12463 (12K) [text/plain]
Saving to: 'commands.json'
commands.json                               100%[==========================================================================================>]  12.17K  --.-KB/s   in 0s     
2015-12-31 00:12:36 (64.2 MB/s) - 'commands.json' saved [12463/12463]

If wget command not installed on Mac, try curl command to grab files:
$ curl -LO
$ curl -LO

Set permissions

Type the following command:
$ chmod +x osxlockdown

How do I check my OS X security settings?

Type the following command:
$ sudo ./osxlockdown
Sample outputs:

Fig.01: osxlockdown command output

How do I secure and fix failed security settings?

You need to run the following command (again, this will secure the system, but will disable many things like AirDrop, Bluetooth, and so on):
$ sudo ./osxlockdown --remediate
Verify it again:
$ sudo ./osxlockdown

Other options

Type the following command:

$ ./osxlockdown --help
Usage of ./osxlockdown:
  -commands_file string
    	JSON file containing the commands and configuration (default "commands.json")
    	Disables printing the rules that passed
    	Disables printing the summary
    	Implements fixes for failed checks. WARNING: Beware this may break things.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 3 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • Chris Dec 31, 2015 @ 8:49

    This document assumes you have WGET installed on OSX, On my Mac with OSX El Capitan, this was not already installed. I installed it using the homebrew package manager.

    Thanks for the script! useful!

    • 🐧 Vivek Gite Dec 31, 2015 @ 9:11

      Thanks for the heads up. The faq has been updated to include info about curl command.

  • Duncan Jan 28, 2016 @ 0:21

    the wget/curl command for the osxlockdown script is wrong, it’s missing the .go extension, it should be:

    $ curl -LO

    However, it’s easier just to git clone the whole project (including the licence and README), which will create the target directory as well:

    $ git clone

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum