Hardening your computer

[spackard]

I'm wondering if anybody here would be interested in seriously hardening your computer, with tools your tax dollars have already paid for?
NIWC Atlantic SCAP Compliance Checker

The tool and the compliance rules are for hardening the security of both popular operating systems and applications.
It lives in a family of tools considered compliance tools, i.e. to be in compliance you reconfigure parts of your OS or, say, web browser, to mainly disable anything that is considered weak security. There's a separate family of tools called vulnerability scanners that scan hosts looking for weaknesses.

The web site has links to the tools and content, and links to several youtube videos to explain the tool.

I use it for Red Hat Linux, and it'll take me about 2.5 days to harden a system from a fresh install to around the 95% rating.
But, programmatic hardening has improved over the years. Nowadays you could get a lot of hardening done using
Red Hat's built-in openscap, and Ansible hardening playbooks to get to 90% if you click the right boxes during the installation.
However:
- I'm dealing with a heterogeneous environment, so I have to think about the feasability and impact of every rule. You wouldn't have that constraint.
- You could ignore the PKI rules; you won't have a DoD PKI set up.
- The NIWC tool *only* scans. It cannot and will not make any change to your OS or application.

People pay money to buy an antivirus product, or an AV plus web filter product. It may be 50% effective.
There are real security tools out there that your tax dollars have already paid for. You just don't know where to find them.

 

[OVERKILL]

Great link!

This is the result on an "out of the box" MacOS 12.6.1 install (Monterey):

However, one of the errors it found, seems erroneous?

Shows how low an "out of the box" commercial OS scores though.

 

[vavavroom]

I'm wondering if anybody here would be interested in seriously hardening your computer, with tools your tax dollars have already paid for?
NIWC Atlantic SCAP Compliance Checker

Bob has been wanting to do that. I won't let Bob near my setup. I'm not talking about Bob the Oil Guy.

 

[spackard]

For that guest account failure, what I think you show is you didn't enable a guest account on your host.
The compliance checker makes sure that capability has been disabled, so that nobody can create a guest account, even if they wanted to.

A lot of the settings are things even experienced people never come across.

Also, in my experience with Red Hat, there's I think 372 checks but I have to *manually* check 143 of them.

In your MacOS screenshot I see 200 under "Not Selected". I think those are the ones you have to manually read and then move a menu selection to either "Finding" (Fail), "Not a Finding" (Pass), or "Not Applicable".
The manual checks are the ones that take a lot of time to complete.

 

[Cujet]

Given that various computers will respond differently, what kind of performance hit might one see for a relatively modern/recent PC or laptop? i9 processor or similar.

 

[Hall]

on an "out of the box" MacOS 12.6

Did you have to "allow" countless files to run/execute ? I've lost count of how many files I have clicked "Allow anyway".

 

[Passport1]

Forget about hackers, if there is an EMP their computers will be fried. You need a Faraday cage/box to harden your computer.

 

[4WD]

Forget about hackers, if there is an EMP their computers will be fried. You need a Faraday cage/box to harden your computer.

View attachment 146776

But afterward the HD could still be wiped with a cloth

 

[tyman]

I'm wondering if anybody here would be interested in seriously hardening your computer, with tools your tax dollars have already paid for?
NIWC Atlantic SCAP Compliance Checker

The tool and the compliance rules are for hardening the security of both popular operating systems and applications.
It lives in a family of tools considered compliance tools, i.e. to be in compliance you reconfigure parts of your OS or, say, web browser, to mainly disable anything that is considered weak security. There's a separate family of tools called vulnerability scanners that scan hosts looking for weaknesses.

The web site has links to the tools and content, and links to several youtube videos to explain the tool.

I use it for Red Hat Linux, and it'll take me about 2.5 days to harden a system from a fresh install to around the 95% rating.
But, programmatic hardening has improved over the years. Nowadays you could get a lot of hardening done using
Red Hat's built-in openscap, and Ansible hardening playbooks to get to 90% if you click the right boxes during the installation.
However:
- I'm dealing with a heterogeneous environment, so I have to think about the feasability and impact of every rule. You wouldn't have that constraint.
- You could ignore the PKI rules; you won't have a DoD PKI set up.
- The NIWC tool *only* scans. It cannot and will not make any change to your OS or application.

People pay money to buy an antivirus product, or an AV plus web filter product. It may be 50% effective.
There are real security tools out there that your tax dollars have already paid for. You just don't know where to find them.

Not today, Mr. alphabet agency man

 

[hemioiler]

I just can't be bothered. I run a firewall on my linux install but that's it. No AV. My real data is on a separate ZFS partition and is backed up to an amazon cloud server, beyond that if I get hacked it's a wipe and 10 minute re-install from ISO's and I'm back up and running.

Of course I don't do anything illegal either so there's that element. I keep my browser up to date and don't visit sketchy sites.

The servers I adminstrate run fail2ban and a firewall and that's basically it. Never been hacked, never lost any down time to these decisions, and it's been 25+ years of "just can't be bothered, don't do stupid, you'll be fine".

This will keep out 99.999% of people, and the others... well if you're a target for them I don't think you're going to get away from them anyway no matter what you do.

With all the very incredibly smart people having access to the linux project, my guess is there are probably a number of different ways in by the 3 letter agencies that we simply don't know about and it's less effort to accept it then to try and fight it; if they want my youtube history or the java code I wrote for my boss that badly, they're welcome to it.

 

[spackard]

Given that various computers will respond differently, what kind of performance hit might one see for a relatively modern/recent PC or laptop? i9 processor or similar.

The modern processors have AES hardware encryption extensions. You don't get much of a performance hit there.
IME the real hit comes from turning auditing up very high, and forcing buffers to flush to disk before processing is allowed to continue. On RHEL8 I may see peaks of 8MB/min of auditing written to disk. If one is mandated to keep a year of audit data, mama needs a terabyte HDD partition just for that.
The early RHEL8 I'd have a frozen system from just logging in.
I think some of that's been fixed, by suppressing SELinux denial messages. I'm not that good on SELinux and I'd never heard of silent denials, so I'm going to need more time with it.
If you want full compliance you need to partition the HDD in a different way than the default, so that means performing a fresh install. Some of the reason is so you can jail off audit logs, so when they 100% full a parition you can still rescue the host. (Otherwise you'd never be able to run the host and log in, if the root filesystem is 100% full.)

 

[OVERKILL]

Did you have to "allow" countless files to run/execute ? I've lost count of how many files I have clicked "Allow anyway".

No, I ran it using sudo as noted in the instructions PDF that came with it.

 

[OVERKILL]

For that guest account failure, what I think you show is you didn't enable a guest account on your host.
The compliance checker makes sure that capability has been disabled, so that nobody can create a guest account, even if they wanted to.

Yes, it looks like you have to manually make a .plist file (the one it is looking for).

EDIT: Looks like this is depreciated:

macOS - Difference between /Library/Preferences/ & /Library/Managed\ Preferences

Just for my learning and knowledge purpose why some .plist files are saved inside of /Library/Preferences/ and some others are saved inside of /Library/Managed\ Preferences? Basically what is the p...

apple.stackexchange.com

So it's looking for something that isn't supported anymore.

A lot of the settings are things even experienced people never come across.

Yes, and may not be logical for a home computer, like disabling iCloud or requiring Smart Card login, both of which impacted my security score.

Also, in my experience with Red Hat, there's I think 372 checks but I have to *manually* check 143 of them.

In your MacOS screenshot I see 200 under "Not Selected". I think those are the ones you have to manually read and then move a menu selection to either "Finding" (Fail), "Not a Finding" (Pass), or "Not Applicable".
The manual checks are the ones that take a lot of time to complete.

Yes, I noticed that, will have to go back through once I can improve my score as much as reasonable based on the stuff it did find.

 

[BAJA_05]

This site rules, sooo many great members with help!!! Little things in life...

 

[350Rocket]

Great link!

This is the result on an "out of the box" MacOS 12.6.1 install (Monterey):
View attachment 146742

However, one of the errors it found, seems erroneous?
View attachment 146743

Shows how low an "out of the box" commercial OS scores though.

I got 25% on my windows 10 ThinkPad. I guess it's better than 9. Lol.

 

[OVERKILL]

I got 25% on my windows 10 ThinkPad. I guess it's better than 9. Lol.

Some of the checks that impact a score do so even with services that are disabled. For example, SSH is disabled on my box, but it still runs all the security checks against the SSH daemon configuration, which has three different things that impact my score. So even though SSHD isn't even running, because I have the default configs in place for it, my score is negatively impacted.

 

[Zee09]

I like how the majority of members here fear any DM. or PM. is an attempt to hack their computer and steal their house and identity....lol
Seriously

 

[OVERKILL]

I like how the majority of members here fear any DM. or PM. is an attempt to hack their computer and steal their house and identity....lol
Seriously

I know I personally have mine restricted because of unsolicited PM's from members whom I don't wish to interact with outside the public-facing side of the board. I'm sure others feel the same

 

[Zee09]

I know I personally have mine restricted because of unsolicited PM's from members whom I don't wish to interact with outside the public-facing side of the board. I'm sure others feel the same

My post was not referring to you or that option. But I have noticed what I posted for years. That said I honestly don't understand that option but I respect people's right to do as they wish.

 

[OVERKILL]

My post was not referring to you or that option.

Wasn't saying you were, just noting that there are legitimate reasons beyond paranoia about being phished or "hacked" for restricting PM's. Mine are "friends" only, so people I follow can PM me.

But I have noticed what I posted for years. That said I honestly don't understand that option but I respect people's right to do as they wish.

I've received some pretty wild PM's over the years ranging from character attacks and outright threats of violence to "let me explain this to you" in response to comments I've made on the open forum by people, as I noted, that I do not want to be having an "off the record" conversation with. So, it's just easier to restrict it.