patternMajor
macOS security audit checklist for detecting compromise
Viewed 0 times
hackedcompromisedsecurity checkSIPgatekeeperfilevaultlaunch agentspersistencenetwork portsSSH keysDNS hijack
Problem
Need to verify a macOS system has not been compromised. No single command covers all attack vectors — requires checking multiple persistence mechanisms, network state, and security features.
Solution
Run a multi-point security audit: (1) Login history:
last -20 for unknown users. (2) Security features: csrutil status (SIP), spctl --status (Gatekeeper), fdesetup status (FileVault), /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate (Firewall). (3) Persistence: check ~/Library/LaunchAgents, /Library/LaunchDaemons, /Library/LaunchAgents, crontab -l. (4) Network: lsof -iTCP -sTCP:LISTEN -P -n for open ports, lsof -iTCP -sTCP:ESTABLISHED -P -n for connections. (5) SSH: check ~/.ssh/authorized_keys and ~/.ssh/config. (6) DNS/Proxy: scutil --dns, /etc/hosts, networksetup -getwebproxy Wi-Fi. (7) Users: dscl . list /Users UniqueID and admin group. (8) Profiles: profiles show for MDM. (9) Extensions: kextstat and systemextensionsctl list. Key finding: macOS firewall is OFF by default — recommend enabling it via System Settings > Network > Firewall. Dev servers binding to * (all interfaces) are reachable on LAN when firewall is disabled.Why
macOS ships with the application firewall disabled by default. Combined with dev servers that bind to 0.0.0.0 (all interfaces), this exposes local services to anyone on the same network. Each audit point targets a different attack vector: LaunchAgents for persistence, authorized_keys for unauthorized SSH access, DNS/hosts for traffic redirection, profiles for MDM-based control.
Gotchas
- macOS firewall is OFF by default — most users dont realize this
- Dev servers (node, python) often bind to 0.0.0.0 instead of 127.0.0.1 exposing them to LAN
- TCC database is unreadable on modern macOS without FDA — this is normal not a sign of compromise
- Screen sharing services showing in launchctl list doesnt mean theyre active — check the dash prefix
- The last command only shows terminal logins not GUI logins
Context
When a user suspects their machine may be compromised or wants a health check
Revisions (0)
No revisions yet.