# Enforce Privacy & Security Best-Practices on macOS Using Terminal in 15 minutes

>  No need to run any compiled software on your system, just run the generated scripts using Terminal.

**Published by:** [The BlogChain Newsletter](https://paragraph.com/@kazani/)
**Published on:** 2023-08-14
**Categories:** macos, privacy, security, terminal, guide
**URL:** https://paragraph.com/@kazani/enforce-privacy-and-security-best-practices-on-macos-using-terminal

## Content

Good Morning! Delivering interesting content every single week on Web3, Security, Crypto, NFTs, Design & AI. It's FREE, Takes less than 5-minutes to read, and you are guaranteed to learn something. Subscribe to get valuable News, Useful Resources and Insights every week to your Inbox!SubscribeUnveil the hidden potential of your Mac's Terminal to lock down your privacy and security like a pro. Dive into a world of powerful commands and master the art of protecting your digital haven. Introduction: Unleashing Terminal Magic for Rock-Solid macOS Privacy and SecurityWelcome to a realm where your Mac's true power lies beneath the sleek surface of its user-friendly interface. The Terminal, often overshadowed by its graphical counterparts, holds the key to transforming your macOS experience into an impregnable fortress of privacy and security. In this guide, we'll delve deep into the heart of Terminal commands, unlocking their potential to shield your digital life from prying eyes and malicious threats.Are you tired of sifting through countless settings and apps to secure your Mac? Fret not, for we're about to embark on an exciting journey through the Terminal's secret passages. Buckle up, fellow Mac enthusiast, as we unveil a treasure trove of knowledge and equip you with the tools needed to enforce privacy and security best-practices like a seasoned hacker (minus the black hoodie and Matrix code).Why Terminal? Unmasking the Power Behind the Command Line"Why bother with Terminal when I have shiny icons and user-friendly settings?"Ah, a valid question, my curious friend. While macOS offers a range of built-in security features, Terminal provides you with unparalleled control over your system's inner workings. Here's why diving into the command line can be a game-changer:Precision at Your Fingertips: Terminal commands allow you to make precise changes to your system, tailoring security measures to your exact needs. No more sifting through convoluted menus.Speed and Efficiency: Zip through tasks that would normally take several clicks with just a few keystrokes. Your time is valuable, after all.Access to Hidden Settings: Unearth settings that are usually tucked away, granting you access to advanced privacy configurations that the average user can only dream of.Script Your Defenses: With Terminal, you can create custom scripts to automate security processes, ensuring your Mac stays fortified without breaking a sweat.The Commandments: Essential Terminal Commands for Fortifying PrivacyReady to flex your newfound Terminal muscles? Here's a compilation of must-know commands to bolster your Mac's privacy defenses:Firewall Fortification (firewall-cmd): Shield your Mac from unauthorized network access by configuring the built-in firewall. Limit incoming connections and decide which apps can communicate through the network.File Encryption Mastery (gpg): Secure your sensitive files with military-grade encryption using the GnuPG tool. Keep your data locked down, even if someone gains physical access to your machine.Privacy-Preserving Browsing (tor): Explore the depths of the internet with enhanced privacy through the Tor network. Safeguard your online activities from prying eyes.Two-Factor Authentication (ssh-keygen): Elevate your authentication game by generating SSH key pairs. Bid farewell to solely relying on passwords for accessing your Mac.Cache Clearance (dscacheutil): Wipe away traces of your DNS cache, erasing any records of your online escapades. Keep your browsing history for your eyes only.FAQs: Decrypting Your Terminal MysteriesQ: Is it safe to use Terminal for security configurations? A: Absolutely! Terminal is a powerful tool in the hands of a cautious user. Just ensure you follow instructions carefully and double-check commands before hitting Enter.Q: Can I undo changes made through Terminal? A: In most cases, yes. Many commands have reversal counterparts or can be undone by resetting settings. However, it's wise to back up your data before performing extensive changes.Q: Will using Terminal void my warranty? A: Nope, using Terminal commands within macOS's intended scope won't void your warranty. However, venturing into unauthorized territories might raise some eyebrows at the Genius Bar.📙 Start by exploring different categories and choosing different tweaks.Privacy Cleanup:Clear Bash History:rm -f ~/.bash_historyClear zsh history:rm -f ~/.zsh_historyClear OS Logs:Clear Diagnostics Logs:sudo rm -rfv /private/var/db/diagnostics/* sudo rm -rfv /var/db/diagnostics/*Clear shared-cache strings data:sudo rm -rfv /private/var/db/uuidtext/ sudo rm -rfv /var/db/uuidtext/Clear Apple System Logs (ASL):sudo rm -rfv /private/var/log/asl/* sudo rm -rfv /var/log/asl/* sudo rm -fv /var/log/asl.log # Legacy ASL (10.4) sudo rm -fv /var/log/asl.dbClear Install Logs:sudo rm -fv /var/log/install.logClear All System Logs:sudo rm -rfv /var/log/*Clear System Application Logs:sudo rm -rfv /Library/Logs/*Clear Mail Logs:rm -rfv ~/Library/Containers/com.apple.mail/Data/Library/Logs/Mail/*Clear Audit Logs: (login, logout, authentication and other user activity)sudo rm -rfv /var/audit/* sudo rm -rfv /private/var/audit/*Clear User Logs: (User Reports)sudo rm -rfv ~/Library/Logs/*Clear Daily Logs:sudo rm -fv /System/Library/LaunchDaemons/com.apple.periodic-*.plistClear Receipt Logs for Installed Packages/Apps:sudo rm -rfv /var/db/receipts/* sudo rm -vf /Library/Receipts/InstallHistory.plistClear Browser History:Clear Google Chrome Browser History:rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History &>/dev/null rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/History-journal &>/dev/nullClear Google Chrome Cache Files:sudo rm -rfv ~/Library/Application\ Support/Google/Chrome/Default/Application\ Cache/* &>/dev/nullClear Safari Caches:rm -f ~/Library/Caches/com.apple.Safari/Cache.db rm -f ~/Library/Safari/WebpageIcons.db rm -rfv ~/Library/Caches/com.apple.Safari/Webpage\ PreviewsClear Safari Browsing History:rm -f ~/Library/Safari/History.db rm -f ~/Library/Safari/History.db-lock rm -f ~/Library/Safari/History.db-shm rm -f ~/Library/Safari/History.db-wal # For older versions of Safari rm -f ~/Library/Safari/History.plist # URL, visit count, webpage title, last visited timestamp, redirected URL, autocomplete rm -f ~/Library/Safari/HistoryIndex.sk # History indexClear Safari Downloads History:rm -f ~/Library/Safari/Downloads.plistClear Safari Top Sites:rm -f ~/Library/Safari/TopSites.plistClear Safari Last Session (Open Tabs) History:rm -f ~/Library/Safari/LastSession.plistClear Copy of the Safari History:rm -rfv ~/Library/Caches/Metadata/Safari/HistoryClear Search History Embedded in Safari Preferences: defaults write ~/Library/Preferences/com.apple.Safari RecentSearchStrings '( )'Clear Safari Cookies:rm -f ~/Library/Cookies/Cookies.binarycookies rm -f ~/Library/Cookies/Cookies.plistClear Safari Zoom Level Preferences Per Site:rm -f ~/Library/Safari/PerSiteZoomPreferences.plistClear URLs that are allowed to display notifications in Safari:rm -f ~/Library/Safari/UserNotificationPreferences.plistClear Safari Per-Site Preference for Downloads, Geolocation, PopUps and Autoplays:rm -f ~/Library/Safari/PerSitePreferences.dbClear Firefox Cache:sudo rm -rf ~/Library/Caches/Mozilla/ rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/netpredictions.sqliteDelete Firefox Form History:rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.sqlite rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/formhistory.datDelete Firefox Site Preference:rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/content-prefs.sqliteDelete Firefox session restore data (loads after the browser closes or crashes:rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionCheckpoints.json rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore*.js* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore.bak* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/previous.js* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/recovery.js* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/recovery.bak* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/previous.bak* rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/sessionstore-backups/upgrade.js*-20*Delete Firefox Passwords:rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons2.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons3.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/signons.sqlite rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/logins.jsonDelete Firefox HTML5 Cookies:rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/webappsstore.sqliteDelete Firefox Crash Reports:rm -rfv ~/Library/Application\ Support/Firefox/Crash\ Reports/ rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/minidumps/*.dmpDelete Firefox Backup Files:rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.json rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/bookmarkbackups/*.jsonlz4Delete Firefox Cookies:rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.txt rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite-shm rm -fv ~/Library/Application\ Support/Firefox/Profiles/*/cookies.sqlite-wal rm -rfv ~/Library/Application\ Support/Firefox/Profiles/*/storage/default/http*Clear Third Party Application Data:Clear Adobe Cache:sudo rm -rfv ~/Library/Application\ Support/Adobe/Common/Media\ Cache\ Files/* &>/dev/nullClear Gradle Cache:if [ -d "/Users/${HOST}/.gradle/caches" ]; then rm -rfv ~/.gradle/caches/ &> /dev/null fiClear Dropbox Cache:if [ -d "/Users/${HOST}/Dropbox" ]; then sudo rm -rfv ~/Dropbox/.dropbox.cache/* &>/dev/null fiClear Google Drive File Stream Cache:killall "Google Drive File Stream" rm -rfv ~/Library/Application\ Support/Google/DriveFS/[0-9a-zA-Z]*/content_cache &>/dev/nullClear Composer Cache:if type "composer" &> /dev/null; then composer clearcache &> /dev/null fiClear Homebrew Cache:if type "brew" &>/dev/null; then brew cleanup -s &>/dev/null rm -rfv $(brew --cache) &>/dev/null brew tap --repair &>/dev/null fiClear Any Old Versions of Ruby Gems:if type "gem" &> /dev/null; then gem cleanup &>/dev/null fiClear Docker:if type "docker" &> /dev/null; then docker system prune -af fiClear Pyenv-VirtualEnv Cache:if [ "$PYENV_VIRTUALENV_CACHE_PATH" ]; then rm -rfv $PYENV_VIRTUALENV_CACHE_PATH &>/dev/null fiClear NPM Cache:if type "npm" &> /dev/null; then npm cache clean --force fiClear Yarn Cache:if type "yarn" &> /dev/null; then echo 'Cleanup Yarn Cache...' yarn cache clean --force fiiOS Cleanup:Clear iOS Applications:rm -rfv ~/Music/iTunes/iTunes\ Media/Mobile\ Applications/* &>/dev/nullClear iOS Photo Caches:rm -rf ~/Pictures/iPhoto\ Library/iPod\ Photo\ Cache/*Remove iOS Device Backups:rm -rfv ~/Library/Application\ Support/MobileSync/Backup/* &>/dev/nullClear iOS Simulators:if type "xcrun" &>/dev/null; then osascript -e 'tell application "com.apple.CoreSimulator.CoreSimulatorService" to quit' osascript -e 'tell application "iOS Simulator" to quit' osascript -e 'tell application "Simulator" to quit' xcrun simctl shutdown all xcrun simctl erase all fiClear the List of iOS Devices Connected:sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" sudo defaults delete /Users/$USER/Library/Preferences/com.apple.iPod.plist Devices sudo defaults delete /Library/Preferences/com.apple.iPod.plist "conn:128:Last Connect" sudo defaults delete /Library/Preferences/com.apple.iPod.plist Devices sudo rm -rfv /var/db/lockdown/*Reset Privacy Permissions For All Applications:Reset Camera Permissions:tccutil reset CameraReset Microphone Permissions:tccutil reset MicrophoneReset Accessibility Permissions:tccutil reset AccessibilityReset Screen Capture Permissions:tccutil reset ScreenCaptureReset Reminders Permissions:tccutil reset RemindersReset Photos Permissions:tccutil reset PhotosReset Calendar Permissions:tccutil reset CalendarReset Full Disk Access Permissions:tccutil reset SystemPolicyAllFilesReset Contacts Permissions:tccutil reset SystemPolicyAllFilesReset Desktop Folder Permissions:tccutil reset SystemPolicyDesktopFolderReset Documents Folder Permissions:tccutil reset SystemPolicyDocumentsFolderReset Downloads Permissions:tccutil reset SystemPolicyDownloadsFolderReset All App Permissions:tccutil reset AllClear CUPS Printer Job Cache:sudo rm -rfv /var/spool/cups/c0* sudo rm -rfv /var/spool/cups/tmp/* sudo rm -rfv /var/spool/cups/cache/job.cache*Empty Trash on All Volumes:sudo rm -rfv /Volumes/*/.Trashes/* &>/dev/null sudo rm -rfv ~/.Trash/* &>/dev/nullClear System Cache Files:sudo rm -rfv /Library/Caches/* &>/dev/null sudo rm -rfv /System/Library/Caches/* &>/dev/null sudo rm -rfv ~/Library/Caches/* &>/dev/nullClear XCode Derived Data and Archives:rm -rfv ~/Library/Developer/Xcode/DerivedData/* &>/dev/null rm -rfv ~/Library/Developer/Xcode/Archives/* &>/dev/null rm -rfv ~/Library/Developer/Xcode/iOS Device Logs/* &>/dev/nullClear DNS Cache:sudo dscacheutil -flushcache sudo killall -HUP mDNSResponderPurge Inactive Memory:sudo purgeConfigure Programs:Disable Automatically Downloading Parallels Desktop Updates:defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Download updates automatically' -bool noDisable Automatically Checking for Parallels Desktop Updates:defaults write 'com.parallels.Parallels Desktop' 'Application preferences.Check for updates' -int 0Turn off Ads in Parallels Desktop:defaults write 'com.parallels.Parallels Desktop' 'ProductPromo.ForcePromoOff' -bool yes defaults write 'com.parallels.Parallels Desktop' 'WelcomeScreenPromo.PromoOff' -bool yesDisable Firefox Telemetry:Enable Firefox policies so the telemetry can be configured.sudo defaults write /Library/Preferences/org.mozilla.firefox EnterprisePoliciesEnabled -bool TRUEDisable sending usage data.sudo defaults write /Library/Preferences/org.mozilla.firefox DisableTelemetry -bool TRUEDisable Microsoft Office Diagnostics Data Sending:defaults write com.microsoft.office DiagnosticDataTypePreference -string ZeroDiagnosticDataUninstall Google Update:googleUpdateFile=~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ksinstall if [ -f "$googleUpdateFile" ]; then $googleUpdateFile --nuke echo Uninstalled google update else echo Google update file does not exist fiDisable Homebrew User Behavior Analytics:command='export HOMEBREW_NO_ANALYTICS=1' declare -a profile_files=("$HOME/.bash_profile" "$HOME/.zprofile") for profile_file in "${profile_files[@]}" do touch "$profile_file" if ! grep -q "$command" "${profile_file}"; then echo "$command" >> "$profile_file" echo "[$profile_file] Configured" else echo "[$profile_file] No need for any action, already configured" fi doneDisable NET Core CLI Telemetry:command='export DOTNET_CLI_TELEMETRY_OPTOUT=1' declare -a profile_files=("$HOME/.bash_profile" "$HOME/.zprofile") for profile_file in "${profile_files[@]}" do touch "$profile_file" if ! grep -q "$command" "${profile_file}"; then echo "$command" >> "$profile_file" echo "[$profile_file] Configured" else echo "[$profile_file] No need for any action, already configured" fi doneDisable PowerShell Core Telemetry:command='export POWERSHELL_TELEMETRY_OPTOUT=1' declare -a profile_files=("$HOME/.bash_profile" "$HOME/.zprofile") for profile_file in "${profile_files[@]}" do touch "$profile_file" if ! grep -q "$command" "${profile_file}"; then echo "$command" >> "$profile_file" echo "[$profile_file] Configured" else echo "[$profile_file] No need for any action, already configured" fi doneConfigure OS:Deactivate the Remote Management Service:sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stopRemove Apple Remote Desktop Settings:sudo rm -rf /var/db/RemoteManagement sudo defaults delete /Library/Preferences/com.apple.RemoteDesktop.plist defaults delete ~/Library/Preferences/com.apple.RemoteDesktop.plist sudo rm -r /Library/Application\ Support/Apple/Remote\ Desktop/ rm -r ~/Library/Application\ Support/Remote\ Desktop/ rm -r ~/Library/Containers/com.apple.RemoteDesktopDisable "Ask Siri":defaults write com.apple.assistant.support 'Assistant Enabled' -bool falseDisable Siri Voice Feedback:defaults write com.apple.assistant.backedup 'Use device speaker for TTS' -int 3Disable Siri Services (Siri and assistantd):echo '--- Disable Siri services (Siri and assistantd)' launchctl disable "user/$UID/com.apple.assistantd" launchctl disable "gui/$UID/com.apple.assistantd" sudo launchctl disable 'system/com.apple.assistantd' launchctl disable "user/$UID/com.apple.Siri.agent" launchctl disable "gui/$UID/com.apple.Siri.agent" sudo launchctl disable 'system/com.apple.Siri.agent' if [ $(/usr/bin/csrutil status | awk '/status/ {print $5}' | sed 's/\.$//') = "enabled" ]; then >&2 echo 'This script requires SIP to be disabled. Read more: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection' fiDisable "Do you want to enable Siri?" Pop-up:defaults write com.apple.SetupAssistant 'DidSeeSiriSetup' -bool TrueHide Siri from Menu Bar:defaults write com.apple.systemuiserver 'NSStatusItem Visible Siri' 0Hide Siri from Status Menu:defaults write com.apple.Siri 'StatusMenuVisible' -bool false defaults write com.apple.Siri 'UserHasDeclinedEnable' -bool trueOpt-Out from Siri Data Collection:defaults write com.apple.assistant.support 'Siri Data Sharing Opt-In Status' -int 2Disable Internet Based Spell Correction:defaults write NSGlobalDomain WebAutomaticSpellingCorrectionEnabled -bool falseDisable Remote Apple Events:sudo systemsetup -setremoteappleevents offDo Not Store Documents to iCloud Drive by Default:defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool falseDo Not Show Recent Items on Dock:defaults write com.apple.dock show-recents -bool falseDisable AirDrop File Sharing:defaults write com.apple.NetworkBrowser DisableAirDrop -bool trueDisable Spotlight Indexing:sudo mdutil -i off -d Disable Personalized Advertisements and Identifier Collection:defaults write com.apple.AdLib allowIdentifierForAdvertising -bool false defaults write com.apple.AdLib allowApplePersonalizedAdvertising -bool false defaults write com.apple.AdLib forceLimitAdTracking -bool trueSecurity Improvements:Prevent Automatically Allowing Incoming Connections to Signed Apps:sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool falsePrevent Automatically Allowing Incoming Connections to Downloaded Signed Apps:sudo defaults write /Library/Preferences/com.apple.alf allowdownloadsignedenabled -bool falseEnable Application Firewall:/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool true defaults write com.apple.security.firewall EnableFirewall -bool trueTurn on Firewall Logging:/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool trueTurn on Stealth Mode:/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true defaults write com.apple.security.firewall EnableStealthMode -bool trueRequire a Password to Wake the Computer from Sleep or Screen Saver:sudo defaults write /Library/Preferences/com.apple.screensaver askForPassword -bool trueInitiate Session Lock Five Seconds after Screen Saver is Started:sudo defaults write /Library/Preferences/com.apple.screensaver 'askForPasswordDelay' -int 5Disables Signing In as Guest from the Login Screen:sudo defaults write /Library/Preferences/com.apple.loginwindow GuestEnabled -bool NODisables Guest Access to File Shares over AF:sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AllowGuestAccess -bool NODisables Guest Access to File Shares over SMB:sudo defaults write /Library/Preferences/com.apple.AppleFileServer guestAccess -bool NODisable Remote Login (incoming SSH and SFTP connections):echo 'yes' | sudo systemsetup -setremotelogin offDisable Insecure TFTP Service:sudo launchctl disable 'system/com.apple.tftpd'Disable Bonjour Multicast Advertising:sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool trueDisable Insecure Telnet Protocol:sudo launchctl disable system/com.apple.telnetdDisable Sharing of Local Printers with Other Computers:cupsctl --no-share-printersDisable Printing from Any Address including the Internet:cupsctl --no-remote-anyDisable Remote Printer Administration:cupsctl --no-remote-adminDisable Captive Portal:sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control.plist Active -bool falsePrivacy over Security:Clear File Quarantine Logs of all Downloaded Files:db_file=~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 db_query='delete from LSQuarantineEvent' if [ -f "$db_file" ]; then echo "Database exists at \"$db_file\"" if ls -lO "$db_file" | grep --silent 'schg'; then sudo chflags noschg "$db_file" echo "Found and removed system immutable flag" has_sytem_immutable_flag=true fi if ls -lO "$db_file" | grep --silent 'uchg'; then sudo chflags nouchg "$db_file" echo "Found and removed user immutable flag" has_user_immutable_flag=true fi sqlite3 "$db_file" "$db_query" echo "Executed the query \"$db_query\"" if [ "$has_sytem_immutable_flag" = true ] ; then sudo chflags schg "$db_file" echo "Added system immutable flag back" fi if [ "$has_user_immutable_flag" = true ] ; then sudo chflags uchg "$db_file" echo "Added user immutable flag back" fi else echo "No action needed, database does not exist at \"$db_file\"" fiClear File Quarantine Attribute from Downloaded Files:find ~/Downloads \ -type f \ -exec \ sh -c \ ' attr="com.apple.quarantine" file="{}" if [[ $(xattr "$file") = *$attr* ]]; then if xattr -d "$attr" "$file" 2>/dev/null; then echo "🧹 Cleaned attribute from \"$file\"" else >&2 echo "❌ Failed to clean attribute from \"$file\"" fi else echo "No attribute in \"$file\"" fi ' \ {} \;Prevent Quarantine from Logging Downloaded Files:file_to_lock=~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 if [ -f "$file_to_lock" ]; then sudo chflags schg "$file_to_lock" echo "Made file immutable at \"$file_to_lock\"" else echo "No action is needed, file does not exist at \"$file_to_lock\"" fiDisable Using Extended Quarantine Attribute on Downloaded Files (disables warning):sudo defaults write com.apple.LaunchServices 'LSQuarantine' -bool NOPrevent Gatekeeper from Automatically Reactivating Itself:sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool trueDisable Gatekeeper:os_major_ver=$(sw_vers -productVersion | awk -F "." '{print $1}') os_minor_ver=$(sw_vers -productVersion | awk -F "." '{print $2}') if [[ $os_major_ver -le 10 \ || ( $os_major_ver -eq 10 && $os_minor_ver -lt 7 ) \ ]]; then echo "No action needed, Gatekeeper is not available this OS version" else gatekeeper_status="$(spctl --status | awk '/assessments/ {print $2}')" if [ $gatekeeper_status = "disabled" ]; then echo "No action needed, Gatekeeper is already disabled" elif [ $gatekeeper_status = "enabled" ]; then sudo spctl --master-disable sudo defaults write '/var/db/SystemPolicy-prefs' 'enabled' -string 'no' echo "Disabled Gatekeeper" else >&2 echo "Unknown gatekeeper status: $gatekeeper_status" fi fiDisable Automatically Checking for Updates:# For OS X Yosemite and later (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticCheckEnabled' -bool falseDisable Automatically Downloading New Updates when Available:# For OS X Yosemite and later (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticDownload' -bool falseDisable Automatically Installing macOS Updates:# For OS X Yosemite through macOS High Sierra (>= 10.10 && < 10.14) sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdateRestartRequired' -bool false # For Mojave and later (>= 10.14) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallMacOSUpdates' -bool falseDisable Automatically Updating App from the App Store:# For OS X Yosemite and later (>= 10.10) sudo defaults write /Library/Preferences/com.apple.commerce 'AutoUpdate' -bool false # For Mojave and later (>= 10.14) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AutomaticallyInstallAppUpdates' -bool falseDisable Installation of macOS Beta Releases:# For OS X Yosemite and later (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'AllowPreReleaseInstallation' -bool falseDisable Automatically Installing Configuration Data (e.g. XProtect, Gatekeeper, MRT):# For OS X Yosemite and later (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'ConfigDataInstall' -bool falseDisable Automatically Installing System Data Files and Security Updates:# For OS X Yosemite and later (>= 10.10) sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate 'CriticalUpdateInstall' -bool falseDisable Library Validation Entitlement (checks signature of libraries):sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist 'DisableLibraryValidation' -bool trueBONUS:stronghold is the easiest way to securely configure your Mac.Installation OptionsInstall with pippip install strongholdstrongholdConfiguration OptionsFirewallTurn on Firewall?This helps protect your Mac from being attacked over the internet.Turn on logging?If there IS an infection, logs are useful for determining the source.Turn on stealth mode?Your Mac will not respond to ICMP ping requests or connection attempts from closed TCP and UDP networks.General System ProtectionEnable Gatekeeper?Defend against malware by enforcing code signing and verifying downloaded applications before allowing them to run.Prevent automatic software whitelisting?Both built-in and downloaded software will require user approval for whitelisting.Disable Captive Portal Assistant and force login through browser on untrusted networks?Captive Portal Assistant could be triggered and direct you to a malicious site WITHOUT any user interaction.User Metadata StorageClear language modeling metadata?This includes user spelling, typing and suggestion data.Disable language modeling data collection?Clear QuickLook metadata?Clear Downloads metadata?Disable metadata collection from Downloads?Clear SiriAnalytics database?User SafetyLock Mac as soon as screen saver starts?Display all file extensions?This prevents malware from disguising itself as another file type.Disable saving documents to the cloud by default?This prevents sensitive documents from being unintentionally stored on the cloud.Show hidden files in Finder?This lets you see all files on the system without having to use the terminal.Disable printer sharing?Offers redundancy in case the Firewall was not configured. credit: privacy.sexy and stronghold If you're enjoying today's newsletter, why not share it with your friends? They might find it just as informative and entertaining as you do. Sharing is caring, and by spreading the word about this newsletter, you're helping to support ME and ensure that more great content gets produced in the future. Plus, you'll get to have even more conversations with your friends about the interesting topics covered in each edition. There are three ways to show me that you enjoyed reading this article: Share this post with your friendsShareSubscribe to my newsletterSubscribeCollect this post (only 100 mints available)Connect WalletCollect I hope this was helpful! Thank you for reading! Let’s bust some more in next article. If you want more, be sure toFOLLOW ME

## Publication Information

- [The BlogChain Newsletter](https://paragraph.com/@kazani/): Publication homepage
- [All Posts](https://paragraph.com/@kazani/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@kazani): Subscribe to updates
- [Twitter](https://twitter.com/kazani351): Follow on Twitter

## Optional

- [Collect as NFT](https://paragraph.com/@kazani/enforce-privacy-and-security-best-practices-on-macos-using-terminal): Support the author by collecting this post
- [View Collectors](https://paragraph.com/@kazani/enforce-privacy-and-security-best-practices-on-macos-using-terminal/collectors): See who has collected this post