# Structure documented in "docs/collections.md" os: macos scripting: language: shellscript startCode: |- #!/usr/bin/env bash # {{ $homepage }} — v{{ $version }} — {{ $date }} if [ "$EUID" -ne 0 ]; then script_path=$([[ "$0" = /* ]] && echo "$0" || echo "$PWD/${0#./}") sudo "$script_path" || ( echo 'Administrator privileges are required.' exit 1 ) exit 0 fi endCode: |- echo 'Your privacy and security is now hardened 🎉💪' echo 'Press any key to exit.' read -n 1 -s actions: - category: Privacy cleanup children: - category: Clear terminal history children: - name: Clear bash history recommend: standard code: rm -f ~/.bash_history - name: Clear zsh history recommend: standard code: rm -f ~/.zsh_history - name: Clear CUPS printer job cache recommend: strict code: |- sudo rm -rfv /var/spool/cups/c0* sudo rm -rfv /var/spool/cups/tmp/* sudo rm -rfv /var/spool/cups/cache/job.cache* - name: Empty trash on all volumes recommend: strict code: |- # on all mounted volumes sudo rm -rfv /Volumes/*/.Trashes/* &>/dev/null # on main HDD sudo rm -rfv ~/.Trash/* &>/dev/null - name: Clear system cache files recommend: strict code: |- sudo rm -rfv /Library/Caches/* &>/dev/null sudo rm -rfv /System/Library/Caches/* &>/dev/null sudo rm -rfv ~/Library/Caches/* &>/dev/null - name: Clear system log files recommend: strict code: |- sudo rm -rfv /private/var/log/asl/*.asl &>/dev/null sudo rm -rfv /Library/Logs/DiagnosticReports/* &>/dev/null sudo rm -rfv /Library/Logs/Adobe/* &>/dev/null rm -rfv ~/Library/Containers/com.apple.mail/Data/Library/Logs/Mail/* &>/dev/null rm -rfv ~/Library/Logs/CoreSimulator/* &>/dev/null sudo rm -rfv /var/log/* - category: Clear browser history children: - category: Clear Google Chrome history children: - name: Clear Google Chrome browsing history code: |- rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History &>/dev/null rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History-journal &>/dev/null - name: Google Chrome Cache Files code: sudo rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/Application\ Cache/* &>/dev/null - category: Clear Safari history children: - name: Clear Safari browsing history code: |- rm -f ~/Library/Safari/History.plist rm -f ~/Library/Safari/HistoryIndex.sk - name: Clear Safari downloads history code: rm -f ~/Library/Safari/Downloads.plist - name: Clear Safari top sites code: rm -f ~/Library/Safari/TopSites.plist - name: Clear Safari last session history code: rm -f ~/Library/Safari/LastSession.plist - name: Clear Safari caches code: |- rm -f ~/Library/Caches/com.apple.Safari/Cache.db rm -f ~/Library/Safari/WebpageIcons.db rm -rf ~/Library/Caches/com.apple.Safari/Webpage Previews - name: Clear copy of the Safari history code: rm -rf ~/Library/Caches/Metadata/Safari/History - name: Clear search history embedded in Safari preferences code: defaults write ~/Library/Preferences/com.apple.Safari RecentSearchStrings '( )' - name: Clear Safari cookies code: rm -f ~/Library/Cookies/Cookies.plists - name: Clear Safari zoom level preferences per site code: rm -f ~/Library/Safari/PerSiteZoomPreferences.plists - name: Clear URLs that are allowed to display notifications in Safari code: rm -f ~/Library/Safari/UserNotificationPreferences.plist - name: Clear Safari per-site preferences for Downloads, Geolocation, PopUps, and Autoplays code: rm -f ~/Library/Safari/PerSitePreferences.db - category: Clear Firefox history children: - name: Clear Firefox cache code: |- sudo rm -rf ~/Library/Caches/Mozilla/ rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/netpredictions.sqlite - name: Delete Firefox form history code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.sqlite rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.dat - name: Delete Firefox site preferences code: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/content-prefs.sqlite - name: Delete Firefox session restore data (loads after the browser closes or crashes) code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionCheckpoints.json rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore*.js* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore.bak* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/previous.js* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/recovery.js* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/recovery.bak* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/previous.bak* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/upgrade.js*-20* - name: Delete Firefox passwords docs: http://kb.mozillazine.org/Password_Manager code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons2.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons3.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.sqlite rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/logins.json - name: Delete Firefox HTML5 cookies code: rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/webappsstore.sqlite - name: Delete Firefox crash reports code: |- rm -rfv ~/Library/Application\ Support/Firefox/Crash\ Reports/ rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/minidumps/*.dmp - name: Delete Firefox backup files code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.json rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.jsonlz4 - name: Delete Firefox cookies code: |- rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite-shm rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite-wal rm -rfv ~/Library/Application\ Support/Firefox/Profiles/*/storage/default/http* - category: Clear third party application data children: - name: Clear Adobe cache recommend: standard code: sudo rm -rfv ~/Library/Application\ Support/Adobe/Common/Media\ Cache\ Files/* &>/dev/null - name: Clear Gradle cache recommend: strict code: |- if [ -d "/Users/${HOST}/.gradle/caches" ]; then rm -rfv ~/.gradle/caches/ &> /dev/null fi - name: Clear Dropbox cache recommend: standard code: |- if [ -d "/Users/${HOST}/Dropbox" ]; then sudo rm -rfv ~/Dropbox/.dropbox.cache/* &>/dev/null fi - name: Clear Google Drive file stream cache recommend: standard code: |- killall "Google Drive File Stream" rm -rfv ~/Library/Application\ Support/Google/DriveFS/[0-9a-zA-Z]*/content_cache &>/dev/null - name: Clear Composer cache recommend: strict code: |- if type "composer" &> /dev/null; then composer clearcache &> /dev/null fi - name: Clear Homebrew cache recommend: strict code: |- if type "brew" &>/dev/null; then brew cleanup -s &>/dev/null rm -rfv $(brew --cache) &>/dev/null brew tap --repair &>/dev/null fi - name: Clear any old versions of Ruby gems recommend: strict code: |- if type "gem" &> /dev/null; then gem cleanup &>/dev/null fi - name: Clear Docker recommend: strict code: |- if type "docker" &> /dev/null; then docker system prune -af fi - name: Clear Pyenv-VirtualEnv cache recommend: strict code: |- if [ "$PYENV_VIRTUALENV_CACHE_PATH" ]; then rm -rfv $PYENV_VIRTUALENV_CACHE_PATH &>/dev/null fi - name: Clear NPM cache recommend: strict code: |- if type "npm" &> /dev/null; then npm cache clean --force fi - name: Clear Yarn cache recommend: strict code: |- if type "yarn" &> /dev/null; then echo 'Cleanup Yarn Cache...' yarn cache clean --force fi - category: iOS Cleanup children: - name: Clear iOS applications recommend: strict code: rm -rfv ~/Music/iTunes/iTunes\ Media/Mobile\ Applications/* &>/dev/null - name: Clear iOS photo caches recommend: standard code: rm -rf ~/Pictures/iPhoto\ Library/iPod\ Photo\ Cache/* - name: Remove iOS Device Backups recommend: strict code: rm -rfv ~/Library/Application\ Support/MobileSync/Backup/* &>/dev/null - name: Clear iOS Simulators recommend: strict code: |- if type "xcrun" &>/dev/null; then osascript -e 'tell application "com.apple.CoreSimulator.CoreSimulatorService" to quit' osascript -e 'tell application "iOS Simulator" to quit' osascript -e 'tell application "Simulator" to quit' xcrun simctl shutdown all xcrun simctl erase all fi - name: Clear the list of iOS devices connected recommend: strict code: |- sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices sudo rm -rfv /var/db/lockdown/* - name: Clear XCode Derived Data and Archives recommend: strict code: |- rm -rfv ~/Library/Developer/Xcode/DerivedData/* &>/dev/null rm -rfv ~/Library/Developer/Xcode/Archives/* &>/dev/null rm -rfv ~/Library/Developer/Xcode/iOS Device Logs/* &>/dev/null - name: Clear DNS cache recommend: standard code: |- sudo dscacheutil -flushcache sudo killall -HUP mDNSResponder - name: Purge inactive memory recommend: standard code: sudo purge - category: Reset privacy permissions for all applications children: - name: Reset camera permissions code: tccutil reset Camera - name: Reset microphone permissions code: tccutil reset Microphone - name: Reset accessibility permissions code: tccutil reset Accessibility - name: Reset screen capture permissions code: tccutil reset ScreenCapture - name: Reset reminders permissions code: tccutil reset Reminders - name: Reset photos permissions code: tccutil reset Photos - name: Reset calendar permissions code: tccutil reset Calendar - name: Reset full disk access permissions code: tccutil reset SystemPolicyAllFiles - name: Reset contacts permissions code: tccutil reset SystemPolicyAllFiles - name: Reset desktop folder permissions code: tccutil reset SystemPolicyDesktopFolder - name: Reset documents folder permissions code: tccutil reset SystemPolicyDocumentsFolder - name: Reset downloads permissions code: tccutil reset SystemPolicyDownloadsFolder - name: Reset all app permissions code: tccutil reset All - category: Configure programs children: - name: Disable Firefox telemetry recommend: standard docs: https://github.com/mozilla/policy-templates/blob/master/README.md code: |- # Enable Firefox policies so the telemetry can be configured. sudo defaults write /Library/Preferences/org.mozilla.firefox EnterprisePoliciesEnabled -bool TRUE # Disable sending usage data sudo defaults write /Library/Preferences/org.mozilla.firefox DisableTelemetry -bool TRUE revertCode: |- sudo defaults delete /Library/Preferences/org.mozilla.firefox EnterprisePoliciesEnabled sudo defaults delete /Library/Preferences/org.mozilla.firefox DisableTelemetry - name: Disable Microsoft Office diagnostics data sending recommend: standard code: defaults write com.microsoft.office DiagnosticDataTypePreference -string ZeroDiagnosticData revertCode: defaults delete com.microsoft.office DiagnosticDataTypePreference - name: Uninstall Google update recommend: strict code: |- googleUpdateFile=~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ksinstall if [ -f "$googleUpdateFile" ]; then $googleUpdateFile --nuke echo Uninstalled google update else echo Google update file does not exist fi - name: Disable Homebrew user behavior analytics recommend: standard docs: https://docs.brew.sh/Analytics call: - function: PersistUserEnvironmentConfiguration parameters: configuration: export HOMEBREW_NO_ANALYTICS=1 - name: Disable NET Core CLI telemetry recommend: standard call: - function: PersistUserEnvironmentConfiguration parameters: configuration: export DOTNET_CLI_TELEMETRY_OPTOUT=1 - name: Disable PowerShell Core telemetry recommend: standard docs: https://github.com/PowerShell/PowerShell/tree/release/v7.1.1#telemetry call: - function: PersistUserEnvironmentConfiguration parameters: configuration: export POWERSHELL_TELEMETRY_OPTOUT=1 - category: Configure OS children: - category: Configure Apple Remote Desktop children: - name: Deactivate the Remote Management Service recommend: strict code: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop revertCode: sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -restart -agent -console - name: Remove Apple Remote Desktop Settings recommend: strict code: |- sudo rm -rf /var/db/RemoteManagement sudo defaults delete /Library/Preferences/com.apple.RemoteDesktop.plist defaults delete ~/Library/Preferences/com.apple.RemoteDesktop.plist sudo rm -r /Library/Application\ Support/Apple/Remote\ Desktop/ rm -r ~/Library/Application\ Support/Remote\ Desktop/ rm -r ~/Library/Containers/com.apple.RemoteDesktop - name: Disable Internet based spell correction code: defaults write NSGlobalDomain WebAutomaticSpellingCorrectionEnabled -bool false revertCode: defaults delete NSGlobalDomain WebAutomaticSpellingCorrectionEnabled - name: Disable Remote Apple Events recommend: strict code: sudo systemsetup -setremoteappleevents off revertCode: sudo systemsetup -setremoteappleevents on - name: Do not store documents to iCloud Drive by default docs: https://macos-defaults.com/finder/nsdocumentsavenewdocumentstocloud.html recommend: standard code: defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false revertCode: defaults delete NSGlobalDomain NSDocumentSaveNewDocumentsToCloud - category: Security improvements children: - category: Configure macOS Application Firewall children: - name: Enable firewall recommend: standard docs: https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81681 code: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on revertCode: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off - name: Turn on firewall logging recommend: standard docs: https://www.stigviewer.com/stig/apple_os_x_10.13/2018-10-01/finding/V-81671 code: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on revertCode: /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode off - name: Turn on stealth mode recommend: standard docs: https://www.stigviewer.com/stig/apple_os_x_10.8_mountain_lion_workstation/2015-02-10/finding/V-51327 code: /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on revertCode: /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off - name: Disable Spotlight indexing code: sudo mdutil -i off -d / revertCode: sudo mdutil -i on / - name: Disable Captive portal docs: - https://web.archive.org/web/20171008071031if_/http://blog.erratasec.com/2010/09/apples-secret-wispr-request.html#.WdnPa5OyL6Y - https://web.archive.org/web/20130407200745/http://www.divertednetworks.net/apple-captiveportal.html - https://web.archive.org/web/20170622064304/https://grpugh.wordpress.com/2014/10/29/an-undocumented-change-to-captive-network-assistant-settings-in-os-x-10-10-yosemite/ code: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool false revertCode: sudo defaults delete /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active - name: Require a password to wake the computer from sleep or screen saver code: defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool true revertCode: sudo defaults delete /Library/Preferences/com.apple.screensaver askForPassword - name: Do not show recent items on dock docs: https://developer.apple.com/documentation/devicemanagement/dock code: defaults write com.apple.dock show-recents -bool false revertCode: defaults delete com.apple.dock show-recents - name: Disable AirDrop file sharing recommend: strict code: defaults write com.apple.NetworkBrowser DisableAirDrop -bool true revertCode: defaults write com.apple.NetworkBrowser DisableAirDrop -bool false functions: - name: PersistUserEnvironmentConfiguration parameters: [ configuration ] code: |- command='{{ $configuration }}' declare -a profile_files=("$HOME/.bash_profile" "$HOME/.zprofile") for profile_file in "${profile_files[@]}" do touch "$profile_file" if ! grep -q "$command" "${profile_file}"; then echo "$command" >> "$profile_file" echo "[$profile_file] Configured" else echo "[$profile_file] No need for any action, already configured" fi done revertCode: |- command='{{ $configuration }}' declare -a profile_files=("$HOME/.bash_profile" "$HOME/.zprofile") for profile_file in "${profile_files[@]}" do if grep -q "$command" "${profile_file}" 2>/dev/null; then sed -i '' "/$command/d" "$profile_file" echo "[$profile_file] Reverted configuration" else echo "[$profile_file] No need for any action, configuration does not exist" fi done