Lockdown
Lockdown is an open-source tool for El Capitan that audits and remediates security configuration settings.
Written as a UI wrapper for Summit Route's open-source 'osxlockdown' tool, Lockdown helps to secure OS X computers by reducing their attack surface.
current version: 1.0.0 (change log)
zip's sha-1: 11750570c270ca50944cd74359a49de9b937101d
zip's sha-1: 11750570c270ca50944cd74359a49de9b937101d
source code: Lockdown
Before diving in, it is important to re-iterate that Lockdown is simply a UI wrapper on top of Summit Route's excellent open-source 'osxlockdown' tool. In other words, Lockdown would not exist without this tool!
So why write a UI wrapper on top of an already great tool? Well, although power users may prefer osxlockdown, Lockdown provides:
- A simple 'point and click' GUI-based experience
- The ability to quickly toggle commands on and off, via the UI
- Cryptographic verification of itself and the osxlockdown components
- Many of the rules disable functionality in the name of security. This may make you sad.
- System commands and dark arts are involved, so ensure you have your system backed up first.
To use Lockdown to either audit and/or harden your system, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:
Then, simply double-click on 'Lockdown.app' and enter your password to authenticate. Click 'continue' to indicate you acknowledge the warnings:
Lockdown will then display a list of security configuration commands or rules. These rules will enable or configure recommended security features, or disable OS X features that may increase your Mac's attack surface. In other words, they will lockdown your system making it generically more difficult to hack!
It is generally suggested that you leave all commands enabled. However, any command can be disabled by simply deselecting the checkbox in the first column. For example, I personally use AirDrop quite often (at home), to transfer files between my various Apple devices. As such, as shown in the image above, I choose to deselect this command.
Lockdown (by means of osxlockdown) can either audit your system or fix it. Clicking the 'audit' button simply checks, or audits, your computer - no changes are made. The results of the audit will be displayed. A 'PASSED' indicates that for a given command (e.g. 'enable firewall'), your system is corrected and securely configured. On the other hand, a 'FAILED' means that for a given command, your system is not securely configured. A finally score/pass rate is provided at the end of the results:
It is recommended that if an audit turns up any 'FAILED' results, they should be fixed! To fix any detected issues, simply click the 'fix' button. Note that this will make changes to your system. As previously mentioned, this may disable functionality in name of security. Also, be patient as some of the commands, (such as verifying all software is current) may take a while. Ideally, you'll achieve final score of 100%!
FAQs
Q: Why does Lockdown need my password?
A: Many of the commands that are executed by Lockdown to secure OS X (via osxlockdown) require system privileges. As such, Lockdown requests a password (via a standard authorization prompt).
Q: Why do some commands fail when I click 'fix'?
A: Some of the commands are fairly complex, thus may fail in certain scenarios. As Lockdown simply executes the commands via osxlockdown, the failure logic likely exists within the osxlockdown core. Luckily, as osxlockdown is open-source - please submit any issues you uncover!
Q: Any other questions?
A: Feel free to shoot me an email at patrick@objective-see.com, or check out osxlockdown's FAQs.