forked from dmytro/mac_security_setting
-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup_security.sh
executable file
·159 lines (123 loc) · 4.17 KB
/
setup_security.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
#!/bin/bash
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
##################################################################
# Configuration
#
USER_NAME="Coiney"
#
# There is no user configurable parts below this line
##################################################################
set -e
#
# Return codes:
# 0 - all OK
# 1 - user already exists
# 2 - could not generate password
#
# Run this at the verey begining just to make sure user has sudo
# permissions.
cache_sudo() {
cat <<EOF
This script uses sudo to create user account and to modify system setting.
Please provide your sudo password.
EOF
sudo -l > /dev/null 2>&1
}
random_password() {
ruby -r securerandom -e "puts SecureRandom.base64(15)" | tr -d "[:punct:]" 2> /dev/null
}
guard(){
local TARGETUSER=${1}
if dscl . -list /Users | grep ${TARGETUSER} > /dev/null
then
echo "User ${TARGETUSER} already exists."
exit 1
fi
}
make_admin_user(){
echo "-- Creating admin user "
local TARGETUSER=${1}
local PASSWORD=${2}
GID=$(dscl . list groups gid | awk '$1 ~ /^staff/ {print $2}')
sudo dscl . -create /Users/${TARGETUSER}
sudo dscl . -create /Users/${TARGETUSER} UserShell /bin/bash
sudo dscl . -create /Users/${TARGETUSER} RealName ${TARGETUSER}
lastid=$(dscl . -list /Users UniqueID | awk 'BEGIN {max = 0} {if ($2>max) max=$2} END {print max}')
newid=$((lastid+1))
sudo dscl . -create /Users/${TARGETUSER} UniqueID ${newid}
sudo dscl . -create /Users/${TARGETUSER} PrimaryGroupID ${GID}
sudo dscl . -create /Users/${TARGETUSER} NFSHomeDirectory /Users/${TARGETUSER}
sudo cp -a /System/Library/User\ Template/English.lproj /Users/${TARGETUSER}
sudo chown -R ${TARGETUSER}\:staff /Users/${TARGETUSER}
sudo chmod 701 /Users/${TARGETUSER}
sudo dscl . -passwd /Users/${TARGETUSER} ${PASSWORD}
sudo dscl . append /Groups/admin GroupMembership ${TARGETUSER}
# Admin user should NOT expire
sudo pwpolicy -setpolicy -u ${TARGETUSER} "maxMinutesUntilChangePassword=2147483647"
}
# This sets global policy
set_pw_policy(){
echo "-- Setting default password policies"
sudo pwpolicy -setglobalpolicy \
"minChars=7 maxFailedLoginAttempts=3 requiresNumeric=1 requiresAlpha=1 usingHistory=4 maxFailedLoginAttempts=6 maxMinutesUntilChangePassword=129600"
}
# Configure Screen saver to 15 mins - PCI DSS requirement
screen_saver() {
echo "-- Configuring screensaver"
defaults -currentHost write com.apple.screensaver idleTime 900
}
# Require password immediately after sleep or screen saver begins
screen_lock() {
echo "-- Configuring screen lock"
defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0
}
print_out_admins(){
echo "-------check admins-------"
dscl localhost -read /Local/Default/Groups/admin
}
computer_name() {
scutil --get ComputerName
}
print_policy() {
echo '----------------------------------------------------------'
printf "Your effective password policies are:\n\n\n"
pwpolicy get-effective-policy -u $(whoami)
}
save_password() {
local OUTPUT="${HOME}/admin_user_password.txt"
cat <<EOF > ${OUTPUT}
================================================================
This password was generated by security script for administrator
user '${USER_NAME}' on
computer "$(computer_name)" at $(date "+%Y %m %d %H:%M")
${USER_NAME}'s password: ${PASSWORD}
Please keep this record safe.
================================================================
EOF
cat <<EOF
**********************************************************************
*
* User's ${USER_NAME} password saved to the file
*
* ${OUTPUT}
*
* Please print out and delete this file. Keep it in safe place.
*
**********************************************************************
EOF
open -e --background --fresh ${OUTPUT}
}
cache_sudo
guard ${USER_NAME}
PASSWORD=$(random_password)
test -z "${PASSWORD}" && { echo "Something wrong. Empty password."; exit 2; }
save_password
set_pw_policy
make_admin_user ${USER_NAME} ${PASSWORD}
print_out_admins
screen_saver
screen_lock
print_policy
printf "\n\n\n----success----\n\n\n"
exit 0