macos_security
santa
macos_security | santa | |
---|---|---|
18 | 20 | |
1,565 | 4,309 | |
2.5% | 0.4% | |
9.1 | 8.9 | |
about 24 hours ago | 10 days ago | |
YAML | Objective-C | |
GNU General Public License v3.0 or later | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
macos_security
- Windows Security Compliance project
-
FIPS 140 and MacOS
For starters there's an entire NIST project for macOS Security Compliance - https://github.com/usnistgov/macos_security this will make your life a million times easier to meet a lot of the technical controls required for compliance. Nothing like this really exists for Windows or Linux(closest is Compliance As Code https://github.com/ComplianceAsCode/content)
-
Nist controls and acceptable artifacts and evidence. Does anyone have a controls spreadsheet that lists all 800-53 controls and evidence required to satisfy that control?
https://github.com/usnistgov/macos_security - for macOS this would help.
-
Need reporting about device CIS compliance
I’d highly recommend checking out the usnistgov/macos_security on GitHub. You can generate a benchmark and then feed the output into extension attributes to trigger policies on.
- CIS Benchmark deployment approach
-
Could use some advice on my career change
Study about cybersecurity, or how to harden a macOS fleet against published security frameworks.
-
Enrolling devices in ABM/Mosyle
Weigh the pros and cons about having your end-users be standard users or admins on their Macs. If they are already admins (probably), consider the political blowback if you take away their admin rights and flexibility and autonomy they've become used to. Conversely, consider the security posture of your organization. If it has to adhere to some well-known guides (like 800-171 o 800-53r5), then you may not be able to allow end-users to be admins. Take a look at the macOS Security Compliance Project.
-
Here's a recap of the top-voted webinar: How to Harden Macs!
NIST Compliance Benchmarks: github.com/usnistgov/macos_security
- Hardening macOS
-
Disabling Bonjour on monterey
Like OP, I'm trying to disable both bonjour and netbios. I'm using this script: https://github.com/usnistgov/macos_security/blob/main/includes/enablePF-mscp.sh
santa
- Linux being secure is a common misconception
-
Unable to install ruby due to google santa
For anyone wondering: https://github.com/google/santa
-
Reporting on new installed applications
Have you looked at SANTA?
-
Remote Code Execution Vulnerability in Google They Are Not Willing to Fix
Not directly relevant but interesting...
https://github.com/google/santa
This is a product developed by Google that has at least been utilized internally to some extent. It's not perfect, but my previous company used it and it does prevent unexpected unknown code from running in the background.
What it does not do is prevent someone from intentionally downloading and executing a library unless the upvoter actually comes to some demand that you do so. I found that it quickly became a bit of a "alert fatigue" where you approve things your coworkers send you so they can get back to work without properly vetting.
-
is it possible to see what account made changes to the system?
If you really want to get draconian with your controls/logging have a look into https://github.com/google/santa
-
MacOS + MDM Policies (Privacy, Notifications, Native Apps)
Is your company open to adopting open source tooling? There is a tool called Santa that could be used to block binaries from executing.
- Possible to restrict which applications a user can install/execute?
-
On Oct 24th Apple will release macOS Ventura - Are you ready?
you may like https://github.com/google/santa
-
Uber Investigating Breach of Its Computer Systems
> Infostealers for Mac are a thing (Uber is a mac heavy shop I hear)
Block unknown executables on company machines. Google developed Santa to protect themselves: https://github.com/google/santa
> and that's all it takes to steal cookies and tokens post-mfa,
Make post-MFA cookies and tokens short-lived. Require MFA re-authentication at least daily.
> or why even bother with that, if you're running code just make it a reverse shell.
All outbound connections should be strictly monitored, especially from production servers, which should have no ability to make outbound connections. With modern dependency management, that's harder for build servers, but still doable.
-
What Anti-Keylogging Software do you use or recommend?
https://github.com/google/santa for anyone curious
What are some alternatives?
macOS-Security-and-Privacy-Guide - Guide to securing and improving privacy on macOS
sequelpro - MySQL/MariaDB database management for macOS
Installomator - Installation script to deploy standard software on Macs
macOSLAPS - Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
CIS-macOS-Security
MacPass - A native macOS KeePass client
heimdall2 - Heimdall Enterprise Server 2 lets you view, store, and compare automated security control scan results.
CocoaLumberjack - A fast & simple, yet powerful & flexible logging framework for macOS, iOS, tvOS and watchOS
windows_hardening - HardeningKitty and Windows Hardening settings and configurations
pip - The Python package installer
CIS-for-macOS-BigSur-Intel-M1 - CIS Benchmarks for macOS Big Sur
CIS-for-macOS-Catalina-CP - CIS Benchmarks for macOS Catalina