-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathMacfile_security.sh
More file actions
executable file
·94 lines (77 loc) · 3.13 KB
/
Macfile_security.sh
File metadata and controls
executable file
·94 lines (77 loc) · 3.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/usr/bin/env bash
# Security Settings
# Profile-aware security configuration (desktop vs laptop)
set -euo pipefail
# Source logging if available
if [[ -n "${DOTFILES_ROOT:-}" ]]; then
# shellcheck source=../../../lib/logging.sh
source "${DOTFILES_ROOT}/lib/logging.sh"
# shellcheck source=../../../lib/utils.sh
source "${DOTFILES_ROOT}/lib/utils.sh"
else
# Fallback if not running from install.sh
echo "[INFO] Configuring security settings..."
fi
print_status "Configuring security settings..."
# ===========================
# === FIREWALL ===
# ===========================
print_debug "Enabling macOS firewall..."
# Enable firewall
# 0 = off, 1 = on for specific services, 2 = on for essential services
sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1
print_success "Firewall enabled"
# ===================================
# === PASSWORD AFTER SLEEP ===
# ===================================
print_debug "Configuring password after sleep/screensaver..."
# Check if we're running on a laptop
is_laptop_device=false
if is_laptop; then
is_laptop_device=true
fi
# Determine password requirement based on profile and device type
require_password=false
if [[ "${is_laptop_device}" == "true" ]]; then
# Laptops ALWAYS require password after sleep (security critical for portable devices)
require_password=true
print_debug "Device is a laptop - password will be required after sleep"
elif [[ -n "${ENABLE_PASSWORD_AFTER_SLEEP:-}" ]]; then
# Desktop: use profile setting
if [[ "${ENABLE_PASSWORD_AFTER_SLEEP}" == "true" ]]; then
require_password=true
print_debug "Desktop profile: password required after sleep"
else
require_password=false
print_debug "Desktop profile: password NOT required after sleep"
fi
else
# Default: require password (security-first approach)
require_password=true
print_warning "ENABLE_PASSWORD_AFTER_SLEEP not set, defaulting to requiring password"
fi
# Apply password settings
if [[ "${require_password}" == "true" ]]; then
# Require password immediately after sleep/screensaver
defaults write com.apple.screensaver askForPassword -int 1
defaults write com.apple.screensaver askForPasswordDelay -int 0
print_success "Password required immediately after sleep/screensaver"
else
# Disable password requirement after sleep/screensaver (desktop convenience)
defaults write com.apple.screensaver askForPassword -int 0
defaults write com.apple.screensaver askForPasswordDelay -int 0
print_success "Password NOT required after sleep/screensaver (desktop mode)"
fi
# ===================================
# === CUPS WEB INTERFACE ===
# ===================================
print_debug "Enabling CUPS web interface for printer management..."
# Enable CUPS Web Interface for advanced printer management
# Access via: http://localhost:631
if command -v cupsctl >/dev/null 2>&1; then
cupsctl WebInterface=yes 2>/dev/null || true
print_success "CUPS web interface enabled (http://localhost:631)"
else
print_debug "cupsctl not found, skipping CUPS configuration"
fi
print_success "Security settings configured"