Robot Cloud automates and enforces a Security Standard for OS X 10.11 and we're happy to announce that this security standard can be deployed across your environment.
The Robot Cloud Security Standard is the recommended minimum for hardening a Mac against outside intrusion. While you could manually configure most items on the list, it would take approximately 90 minutes per Mac to implement. Robot Cloud does this for you ... automatically! Plus, Robot Cloud ensures the settings remain unchanged.
The Robot Cloud Security Standard
REQUIREMENTS: OS X 10.11 or higher.
ABOUT CUSTOMIZATION: Because we want the Robot Cloud Security Standard to work across a variety of environments, we've chosen to not enforce everything that can be enforced. However, any item missing from your list is likely available as part of another Robot Cloud Actions, or can be developed, upon request, for your environment.
Install Updates, Patches and Additional Security Software
- Enable Auto Update
- Enable app update installs
- Enable system data files and security update installs
- Enable OS X update installs
- Turn off Bluetooth, if no paired devices exist
- Show Bluetooth status in menu bar
- Enable "Set time and date automatically"
- Set an inactivity interval of 20 minutes or less for the screen saver
- Secure screen saver corners
- Verify Display Sleep is set to a value larger than the Screen Saver
- Set a screen corner to Start Screen Saver
- Disable Remote Apple Events
- Disable Internet Sharing
- Configure and harden SSH
- Disable Bluetooth Sharing
- Disable File Sharing
- Disable Remote Management — only for Standard User Accounts (non-admins)
- Disable sleeping the computer when connected to power
- Enable Gatekeeper
- Enable Firewall Stealth Mode
- Enable Secure Keyboard Entry in terminal.app
Available as part of a separate Robot Cloud FileVault Action:
- Enable FileVault
Logging and Auditing
- Retain system.log for 90 or more days
- Retain appfirewall.log for 90 or more days
- Retain authd.log for 90 or more days
- Enable security auditing
- Configure Security Auditing Flags
- Retain install.log for 365 or more days
- Enable "Show Wi-Fi status in menu bar"
- Ensure http server is not running
- Ensure ftp server is not running
- Ensure nfs server is not running
System Access, Authentication, and Authorization
- Secure Home Folders
- Check System Wide Applications for appropriate permissions
- Reduce the sudo timeout period
- Do not enable the "root" account (a Notification will be generated if enabled)
- Disable automatic login
- Require a password to wake the computer from sleep or screen saver
- Require an administrator password to access system-wide preferences
- System Integrity Protection status (a Notification will be generated if disabled)
Available as part of a separate Robot Cloud Password Management Utility:
- Configure account lockout threshold
- Set a minimum password length
- Complex passwords must contain an Alphabetic Character
- Complex passwords must contain a Numeric Character
- Complex passwords must contain a Special Character
- Complex passwords must contain uppercase and lowercase letters
- Password Age
- Password History
User Accounts and Environment
- Display login window as name and password
- Disable "Show password hints"
- Disable "Allow guests to connect to shared folders"
- Turn on filename extensions
- Disable the automatic run of safe files in Safari