Issues and Suggestions

[ghost]

Some results with issues:
Issue >
CHECK #19: OpenSSL is up to date.... FAILED!
Although I am hitting "Y" it's not getting fixed after re-running the script.
macOS:ch moeirs$ openssl version
OpenSSL 1.0.2k 26 Jan 2017

Suggestion >
CHECK #24: Bluetooth is disabled.... FAILED!
This is shouldn't be part of the check process since many users user bluetooth devices and everyone should be aware that it should be turned off whenever necessary. It could be done by checking if Bluetooth sharing is disabled or not and make sure it doesn't accept sharing automatically.

Suggestion >
CHECK #42: Google DNS servers are used by default on all network interfaces.... FAILED!
Why using Google DNS is recommended? I personally don't think so. As of my experience, Google DNS is pretty slow compared to OpenDNS which is a much faster more secure to use. (Actually it depends on location, Namebench is great to tell) If you want to take it further, default DNS with DNSCrypt installed is way much secure.

Suggestion >
CHECK #99: All Google Chrome web browser profiles block Flash cookies.... FAILED!
Adobe Flash is one of the most insecure platforms out there, and I truly believe that the script should scan and make sure Flash player is not installed on macOS and also, Flash is blocked from the browser itself; manually done via chrome://flags.
Two things to be checked here:

1. Prefer HTML over Flash --> should be enabled.
2. Run all Flash content when Flash setting is set to "allow" --> sometimes we whitelist flash websites or forget them allowed when want to access something, so it's better for this option to be disabled, so even whitelisted websites cannot run Flash.

This is can be combined with CHECK #100, blocking/disabling/uninstalling Flash, system wide.

My results are good enough if I exclude GPGSuite and Bluetooth.
CHECK #109: OSX/Keydnap malware is not present.... PASSED!
Configurations passed total: 97 (88.99%)
Configurations failed or skipped total: 10 (9.17%)
Configurations passed without applying fix: 94 (86.24%)
Configurations passed after applying fix: 3 (2.75%)
Configurations failed and fix failed: 3 (2.75%)
Configurations failed and fix skipped: 0 (0.00%)
Configurations failed and fix declined: 7 (6.42%)
Configuration checks skipped: 0 (0.00%)

Thanks a lot for this amazing creation.

Aside request although it's going to be hard to do but it would be just great to run a specific check. instead of running all of them. This could be unnecessary but it's pretty handy if it can be done.

[kristovatlas]

Thanks for the feedback! Much appreciated.

Although I am hitting "Y" it's not getting fixed after re-running the script.

I need to fix this.

This is shouldn't be part of the check process since many users user bluetooth devices and everyone should be aware that it should be turned off whenever necessary.

Fair point. Unfortunately there's no check for "user turns off Bluetooth when using it," and there are various things that can go wrong when you are using Bluetooth intentionally. For this reason, I believe I set disabling Bluetooth to either "recommended" or "experimental," rather than "required." I'll think about it some more, though.

Why using Google DNS is recommended? I personally don't think so. As of my experience, Google DNS is pretty slow compared to OpenDNS which is a much faster more secure to use.

This is true. Most users are not using any custom DNS, which is generally less secure than using a custom one like Google or OpenDNS. I hoped that users who are savvy enough to use custom DNS infer that this is the intended effect, but I could make this more clear by updating the language at the very least.

I truly believe that the script should scan and make sure Flash player is not installed on macOS and also, Flash is blocked from the browser itself; manually done via chrome://flags.

Thanks for the suggestion -- I'll look into this.

Aside request although it's going to be hard to do but it would be just great to run a specific check. instead of running all of them.

Absolutely. I'm pretty sure I opened an issue for this feature, and plan to implement it.

[jauderho]

• Not everyone uses Homebrew so maybe there should be a flag disabling the check
• I believe recent versions of MacOS now use LibreSSL instead OpenSSL (still shipped) so it's not clear to me if this is still a required check
• Is there a way to track and display all the commands successfully executed at the end of a script run so that we can store it later for running on a different machine?
• WebGL configured to default to block should be an acceptable setting?
• Additional Chrome extensions to test for: HTTPS Everywhere and Privacy Badger
• Instead of disabling ntpd, one should simply restrict to localhost. It's important that to maintain accurate time
• As of Chrome 57, chrome://plugins has been removed so not clear as to the value of disabling plugins
• Add check/change for Safari hyperlink auditing. See Why are the privacy settings all greyed out? (disable hyperlink auditing) el1t/uBlock-Safari#36

defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false

• Test & disable SMB1 access and NetBIOS

In /etc/nsmb.conf

[default]
protocol_vers_map=6
port445=no_netbios

[bknowles]

It looks to me like set_openssl_latest_path.sh is not getting called, so on my system it is still finding OpenSSL 0.9.8zh 14 Jan 2016, instead of the version 1.0.2l that is currently available.

And note that 1.0.2l is later than the string the code is looking for, which is 1.0.2h.

[bknowles]

I also note that you're checking for the last successful software update, but you're apparently requiring it to be the same day as the script that is running? Don't you want to convert that date/time string to a ctime integer since the Epoch and then compare that to the current date/time string converted to a ctime, and then require that there be a certain maximum distance that is allowed between these values?

So, if you wanted it to be within the last 24 hours, you could check if the difference is 86400 seconds or less -- assuming there hasn't been a Leap Second inserted today by NTP.

[bknowles]

Hmm. The check for git needs to be updated, too. I have git version 2.13.6, but the check is for 2.9.3.

[bknowles]

Same for curl -- curl 7.54.0 >> 7.50.1, but the test still fails.

[bknowles]

Is there a way to disable the Safari checks for plugins being disabled? Because I have plugins that help me keep my Safari browser secure, and I certainly don't want them being disabled.

[bknowles]

For GPG, I don't think we want to try to force EncryptNewEmailsByDefault. Sign by default, sure. But encrypt by default? No.

[bknowles]

@kristovatlas -- Do you want me to open separate issues for all the additional things I've found so far, or shall I continue to list them here?

And yes, I'm assuming that I will be sending you PRs for at least most of the things I find. Unless you don't want PRs, of course.

[kristovatlas]

Your preference. PRs welcome!