macOS Security Hardening — Full Security Audit
A hands-on security audit of a personal macOS workstation. I used Lynis, rkhunter, and manual inspection to identify vulnerabilities, remove unnecessary services, harden configurations, and verify the system was free of rootkits. This project documents the full process from scan to remediation.
Connect: LinkedIn — Gabriel Aladegbemi | Dallas, TX | CompTIA Security+ | Network+
Property
Value
OS
macOS Tahoe 26.3.1
Kernel
Darwin 25.3.0
Architecture
ARM64 (Apple Silicon)
Disk Encryption
FileVault Enabled
Firewall
Application Firewall Active
Tool
Version
Purpose
Lynis 3.1.6
System auditing and hardening assessment (173 tests, 2 plugins)
rkhunter 1.4.6
Rootkit, backdoor, and binary integrity scanner (385 rootkits checked)
lsof —
Open file and port analysis
Manual review —
LaunchDaemons, LaunchAgents, SSH config, DNS, file permissions
Check
Result
Hardening Index
73 / 100
Warnings
2 (DNS resolution)
Suggestions
16
Firewall
Active
Malware Scanner
Active
File Integrity Tool
Present (mtree)
Check
Result
Rootkits Scanned
385
Rootkits Found
0
System Binaries Verified
106
Backdoor Ports Checked
22 (none open)
Suspicious Processes
None
Scan Time
73 seconds
What I Fixed (15 Remediation Actions)
Action
Risk Level
Details
Removed Oracle Java Plugin
🔴 High
End-of-life, unpatched. Top exploit vector since 2012.
Disabled Chrome Remote Desktop
🔴 High
Idle remote access service — unnecessary exposure.
Removed ExamSoft Proctoring
🟡 Medium
Deep system privileges, no longer needed.
Removed GoToMeeting
🟡 Medium
Obsolete, running with auto-update privileges.
Removed stale VMware Fusion PATH
🟡 Medium
Breaking security tools (rkhunter).
Removed Parallels Toolbox
🟢 Low
Root-level daemons for unused software.
Disabled HP Telemetry
🟢 Low
Unnecessary data collection daemon.
Action
Risk Level
Details
Hardened SSH config
🔴 High
Disabled root login, Protocol 2 only, MaxAuthTries 3.
Fixed DNS redundancy
🔴 High
Replaced dead nameserver with working backup.
Tightened home directory permissions
🟡 Medium
Changed from world-readable to 750.
Disabled FTP proxy service
🟡 Medium
FTP transmits credentials in plaintext.
Added hostname to /etc/hosts
🟢 Low
Prevents hostname resolution attacks on LAN.
Action
Risk Level
Details
Installed and ran rkhunter
🟡 Medium
385 rootkits scanned, zero found.
Created rkhunter baseline
🟢 Low
Property database for future integrity checks.
Analyzed deleted-but-open files
🟢 Low
All confirmed as normal macOS cache rotation.
LoginGraceTime 1m
PermitRootLogin no
Protocol 2
StrictModes yes
MaxAuthTries 3
MaxSessions 3
Pre-Existing Security Controls These were already in place before the audit:
FileVault disk encryption (full-disk)
macOS Application Firewall (active)
Malwarebytes real-time protection
Wazuh SIEM agent (installed, pending manager configuration)
Nessus vulnerability scanner
Wireshark (network analysis)
No zombie processes, no passwordless accounts, no expired SSL certs
Category
Skills
Vulnerability Assessment
Lynis, rkhunter, Nmap
Attack Surface Reduction
Service removal, port analysis, LaunchDaemon auditing
System Hardening
SSH config, file permissions, DNS, FTP proxy
Rootkit Detection
Binary integrity verification, rkhunter baseline
Documentation
Formal report, redacted scan outputs, reusable hardening script
OPSEC
PII redaction from public-facing reports
├── README.md # This file
├── reports/
│ └── macos-hardening-report.docx # Full formal write-up
├── configs/
│ └── sshd_config_hardened.conf # Hardened SSH configuration
├── scans/
│ ├── lynis-summary.txt # Lynis scan results (redacted)
│ └── rkhunter-summary.txt # rkhunter scan results (redacted)
└── scripts/
└── hardening-checklist.sh # Reusable hardening script
Gabriel Aladegbemi — IT & Cybersecurity ProfessionalLinkedIn | Dallas, TX
