diff --git a/README-cn.md b/README-cn.md index 636bbede..6b74182e 100755 --- a/README-cn.md +++ b/README-cn.md @@ -1196,62 +1196,62 @@ Some clients may send traffic over the next available interface when VPN is inte Another set of scripts to lock down your system so it will only access the internet via a VPN can be found as part of the Voodoo Privacy project - [sarfata/voodooprivacy](https://github.com/sarfata/voodooprivacy) and there is an updated guide to setting up an IPSec VPN on a virtual machine ([hwdsl2/setup-ipsec-vpn](https://github.com/hwdsl2/setup-ipsec-vpn)) or a docker container ([hwdsl2/docker-ipsec-vpn-server](https://github.com/hwdsl2/docker-ipsec-vpn-server)). -## Viruses and malware +## 病毒和恶意软件 -There is an [ever-increasing](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html) amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software! +面对[日益增长](https://www.documentcloud.org/documents/2459197-bit9-carbon-black-threat-research-report-2015.html)的恶意软件,Mac 还无法很好的防御这些病毒和恶意软件! -Some malware comes bundled with both legitimate software, such as the [Java bundling Ask Toolbar](http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/), and some with illegitimate software, such as [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) bundled with pirated programs. [Malwarebytes Anti-Malware for Mac](https://www.malwarebytes.com/antimalware/mac/) is an excellent program for ridding oneself of "garden-variety" malware and other "crapware". +一些恶意软件捆绑在正版软件上,比如 [Java bundling Ask Toolbar](http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/),还有 [Mac.BackDoor.iWorm](https://docs.google.com/document/d/1YOfXRUQJgMjJSLBSoLiUaSZfiaS_vU3aG4Bvjmz6Dxs/edit?pli=1) 这种和盗版软件捆绑到一块的。[Malwarebytes Anti-Malware for Mac](https://www.malwarebytes.com/antimalware/mac/) 是一款超棒的应用,它可以帮你摆脱种类繁多的垃圾软件和其他恶意程序的困扰。 -See [Methods of malware persistence on Mac OS X](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) and [Malware Persistence on OS X Yosemite](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite) to learn about how garden-variety malware functions. +看看[恶意软件驻留在 Mac OS X 的方法](https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Wardle.pdf) (pdf) 和[恶意软件在 OS X Yosemite 后台运行](https://www.rsaconference.com/events/us15/agenda/sessions/1591/malware-persistence-on-os-x-yosemite)了解各种恶意软件的功能和危害。 -You could periodically run a tool like [Knock Knock](https://github.com/synack/knockknock) to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as [Block Block](https://objective-see.com/products/blockblock.html) and [Ostiarius](https://objective-see.com/products/ostiarius.html) will help. See warnings and caveats in [issue #90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) first, however. Using an application such as [Little Flocker](https://www.littleflocker.com/) can also protect parts of the filesystem from unauthorized writes similar to how Little Snitch protects the network (note, however, the software is still in beta and should be [used with caution](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/pull/128)). +你可以定期运行 [Knock Knock](https://github.com/synack/knockknock) 这样的工具来检查在持续运行的应用(比如脚本,二进制程序)。但这种方法可能已经过时了。[Block Block](https://objective-see.com/products/blockblock.html) 和 [Ostiarius](https://objective-see.com/products/ostiarius.html) 这样的应用可能还有些帮助。可以在 [issue #90](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/90) 中查看相关警告。除此之外,使用 [Little Flocker](https://www.littleflocker.com/) 也能保护部分文件系统免遭非法写入,类似 Little Snitch 保护网络 (注意,该软件目前是 beat 版本,[谨慎使用](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/pull/128))。 -**Anti-virus** programs are a double-edged sword -- not useful for **advanced** users and will likely increase attack surface against sophisticated threats, however possibly useful for catching "garden variety" malware on **novice** users' Macs. There is also the additional processing overhead to consider. +**反病毒** 软件是把双刃剑 -- 对于**高级**用户没什么用,却可能面临更多复杂攻击的威胁。然而对于 Mac **新手**用户可能是有用的,可以检测到“各种”恶意软件。不过也要考到额外的处理开销。 -See [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](http://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), and [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). +看看 [Sophail: Applied attacks against Antivirus](https://lock.cmpxchg8b.com/sophailv2.pdf) (pdf), [Analysis and Exploitation of an ESET Vulnerability](http://googleprojectzero.blogspot.ro/2015/06/analysis-and-exploitation-of-eset.html), [a trivial Avast RCE](https://code.google.com/p/google-security-research/issues/detail?id=546), [Popular Security Software Came Under Relentless NSA and GCHQ Attacks](https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/), 和 [AVG: "Web TuneUP" extension multiple critical vulnerabilities](https://code.google.com/p/google-security-research/issues/detail?id=675). -Therefore, the best anti-virus is **Common Sense 2016**. See more discussion in [issue #44](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/44). +因此,最好的防病毒方式是日常地防范。看看 [issue #44](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/44)中的讨论。 -Local privilege escalation bugs are plenty on macOS, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP ([example](http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)). +macOS 上有很多本地提权漏洞,所以要小心那些从第三方网站或 HTTP([案例](http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/)) 下载且运行受信或不受信的程序。 -Have a look at [The Safe Mac](http://www.thesafemac.com/) for past and current Mac security news. +看看 [The Safe Mac](http://www.thesafemac.com/) 上过去和目前的 Mac 安全新闻。 -Also check out [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) malware for Mac OS: [root installation for MacOS](https://github.com/hackedteam/vector-macos-root), [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) and [RCS Agent for Mac](https://github.com/hackedteam/core-macos), which is a good example of advanced malware with capabilities to hide from **userland** (e.g., `ps`, `ls`), for example. For more, see [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) and [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) +也检查下 [Hacking Team](https://www.schneier.com/blog/archives/2015/07/hacking_team_is.html) 为 Mac OS 开发的恶意软件:[root installation for MacOS](https://github.com/hackedteam/vector-macos-root)、 [Support driver for Mac Agent](https://github.com/hackedteam/driver-macos) 和 [RCS Agent for Mac](https://github.com/hackedteam/core-macos), 这是一个很好的示例,一些高级的恶意程序是如何在 **用户空间** 隐藏自己的(例如 `ps`、`ls`)。 想了解更多的话,看看 [A Brief Analysis of an RCS Implant Installer](https://objective-see.com/blog/blog_0x0D.html) 和 [reverse.put.as](https://reverse.put.as/2016/02/29/the-italian-morons-are-back-what-are-they-up-to-this-time/) -## System Integrity Protection +## 系统完整性保护 -[System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) is a new security feature of OS X 10.11. It is enabled by default, but [can be disabled](https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/), which may be necessary to change some system settings, such as deleting root certificate authorities or unloading certain launch daemons. Keep this feature on, as it is by default. +[System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) 是 OS X 10.11 中一个新的安全特性。默认是开启的,不过[可以禁用](https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/),这可能需要更改某些系统设置,如删除根证书颁发机构或卸载某些启动守护进程。保持这项功能默认开启状态。 -From [What's New in OS X 10.11](https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html): +摘取自 [OS X 10.11 新增功能](https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html): -> A new security policy that applies to every running process, including privileged code and code that runs out of the sandbox. The policy extends additional protections to components on disk and at run-time, only allowing system binaries to be modified by the system installer and software updates. Code injection and runtime attachments to system binaries are no longer permitted. +> 一项新的安全政策,应用于每个正在运行的进程,包括特权代码和非沙盒中运行的代码。该策略对磁盘上和运行时的组件增加了额外的保护,只允许系统安装程序和软件更新修改系统二进制文件。不再允许代码注入和运行时附加系统二进制文件。 -Also see [What is the “rootless” feature in El Capitan, really?](https://apple.stackexchange.com/questions/193368/what-is-the-rootless-feature-in-el-capitan-really) +看看 [What is the “rootless” feature in El Capitan, really?](https://apple.stackexchange.com/questions/193368/what-is-the-rootless-feature-in-el-capitan-really)。 -Some MacBook hardware has shipped with [SIP disabled](http://appleinsider.com/articles/16/11/17/system-integrity-protection-disabled-by-default-on-some-touch-bar-macbook-pros). To verify SIP is enabled, use the command `csrutil status`, which should return: `System Integrity Protection status: enabled.` Otherwise, [enable SIP](https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html) through Recovery Mode. +[禁用 SIP](http://appleinsider.com/articles/16/11/17/system-integrity-protection-disabled-by-default-on-some-touch-bar-macbook-pros) 的一些 MacBook 已经售出。要验证 SIP 是否已启用,请使用命令 `csrutil status`,该命令应返回: `System Integrity Protection status: enabled.`。 否则,通过恢复模式[启用 SIP](https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html)。 -## Gatekeeper and XProtect +## Gatekeeper 和 XProtect -**Gatekeeper** and the **quarantine** system try to prevent unsigned or "bad" programs and files from running and opening. +**Gatekeeper** 和 **quarantine** 系统试图阻止运行(打开)未签名或恶意程序及文件。 -**XProtect** prevents the execution of known bad files and outdated plugin versions, but does nothing to cleanup or stop existing malware. +**XProtect** 防止执行已知的坏文件和过时的版本插件,但并不能清除或停止现有的恶意软件。 -Both offer trivial protection against common risks and are fine at default settings. +两者都提供了对常见风险的一些保护,默认设置就好。 -See also [Mac Malware Guide : How does Mac OS X protect me?](http://www.thesafemac.com/mmg-builtin/) and [Gatekeeper, XProtect and the Quarantine attribute](http://ilostmynotes.blogspot.com/2012/06/gatekeeper-xprotect-and-quarantine.html). +也看看 [Mac Malware Guide : How does Mac OS X protect me?](http://www.thesafemac.com/mmg-builtin/) 和 [Gatekeeper, XProtect and the Quarantine attribute](http://ilostmynotes.blogspot.com/2012/06/gatekeeper-xprotect-and-quarantine.html)。 -**Note** Quarantine stores information about downloaded files in `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`, which may pose a privacy risk. To examine the file, simply use `strings` or the following command: +**注意** Quarantine 会将下载的文件信息存储在 `~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2`,这可能会造成隐私泄露的风险。简单的使用 `strings` 或下面的命令来检查文件: $ echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;' | sqlite3 /Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 -See [here](http://www.zoharbabin.com/hey-mac-i-dont-appreciate-you-spying-on-me-hidden-downloads-log-in-os-x/) for more information. +看看[这篇文章](http://www.zoharbabin.com/hey-mac-i-dont-appreciate-you-spying-on-me-hidden-downloads-log-in-os-x/) 了解更多信息。 -To permanently disable this feature, [clear the file](https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line) and [make it immutable](http://hints.macworld.com/article.php?story=20031017061722471): +想永久禁用此项功能,[清除文件](https://superuser.com/questions/90008/how-to-clear-the-contents-of-a-file-from-the-command-line) 和 [让它不可更改](http://hints.macworld.com/article.php?story=20031017061722471): $ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 $ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 -Furthermore, macOS attaches metadata ([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X)) to downloaded files: +此外,macOS 附加元数据 ([HFS+ extended attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#OS_X))来下载文件: ``` $ ls -l@ ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg @@ -1284,24 +1284,24 @@ $ xattr -l ~/Downloads/TorBrowser-6.0.5-osx64_en-US.dmg [No output after removal.] ``` -## Passwords +## 密码 -You can generate strong passwords with OpenSSL: +你可以使用 OpenSSL 生成强密码: $ openssl rand -base64 30 LK9xkjUEAemc1gV2Ux5xqku+PDmMmCbSTmwfiMRI -Or GPG: +或者 GPG: $ gpg --gen-random -a 0 30 4/bGZL+yUEe8fOqQhF5V01HpGwFSpUPwFcU3aOWQ -Or `/dev/urandom` output: +或 `/dev/urandom` output: $ dd if=/dev/urandom bs=1 count=30 2>/dev/null | base64 CbRGKASFI4eTa96NMrgyamj8dLZdFYBaqtWUSxKe -With control over character sets: +还可以控制字符集: $ LANG=C tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 40 | head -n 1 jm0iKn7ngQST8I0mMMCbbi6SKPcoUWwCb5lWEjxK @@ -1309,73 +1309,73 @@ With control over character sets: $ LANG=C tr -dc 'DrDuh0-9' < /dev/urandom | fold -w 40 | head -n 1 686672u2Dh7r754209uD312hhh23uD7u41h3875D -You can also generate passwords, even memorable ones, using **Keychain Access** password assistant, or a command line equivalent like [anders/pwgen](https://github.com/anders/pwgen). +你也可以用 **Keychain Access(钥匙串访问)**生成一个令人难忘的密码,或者用 [anders/pwgen](https://github.com/anders/pwgen) 这样的命令行生成。 -Keychains are encrypted with a [PBKDF2 derived key](https://en.wikipedia.org/wiki/PBKDF2) and are a _pretty safe_ place to store credentials. See also [Breaking into the OS X keychain](http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain). Also be aware that Keychain [does not encrypt](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/118) the names corresponding to password entries. +钥匙串使用 [PBKDF2 派生密钥](https://en.wikipedia.org/wiki/PBKDF2)加密,是个**非常安全**存储凭据的地方。看看 [Breaking into the OS X keychain](http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain)。还要注意钥匙串[不加密](https://github.com/drduh/OS-X-Security-and-Privacy-Guide/issues/118)的密码对应密码输入的名称。 -Alternatively, you can manage an encrypted passwords file yourself with GnuPG (shameless plug for my [drduh/pwd.sh](https://github.com/drduh/pwd.sh) password manager script). +或者,可以自己用 GnuPG (基于 [drduh/pwd.sh](https://github.com/drduh/pwd.sh) 密码管理脚本的一个插件)管理一个加密的密码文件。 -In addition to passwords, ensure eligible online accounts, such as GitHub, Google accounts, banking, have [two factor authentication](https://en.wikipedia.org/wiki/Two-factor_authentication) enabled. +除密码外,确保像 GitHub、 Google 账号、银行账户这些网上的账户,开启[两步验证](https://en.wikipedia.org/wiki/Two-factor_authentication)。 -Look to [Yubikey](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/) for a two factor and private key (e.g., ssh, gpg) hardware token. See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) and [trmm.net/Yubikey](https://trmm.net/Yubikey). One of two Yubikey's slots can also be programmed to emit a long, static password (which can be used in combination with a short, memorized password, for example). +看看 [Yubikey](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/) 的两因素和私钥(如:ssh、gpg)硬件令牌。 阅读 [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) 和 [trmm.net/Yubikey](https://trmm.net/Yubikey)。两个 Yubikey 的插槽之一可以通过编程来生成一个长的静态密码(例如可以与短的,记住的密码结合使用)。 -## Backup +## 备份 -Always encrypt files locally before backing them up to external media or online services. +备份到外部介质或在线服务之前,总是先对本地文件进行加密。 -One way is to use a symmetric cipher with GPG and a password of your choosing. +一种方法是使用 GPG 对称加密,你选择一个密码。 -To encrypt a directory: +加密一个文件夹: $ tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg -To decrypt an archive: +解密文档: $ gpg -o ~/Desktop/decrypted-backup.tar.gz -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg && \ tar zxvf ~/Desktop/decrypted-backup.tar.gz -You may also create encrypted volumes using **Disk Utility** or `hdiutil`: +你也可以用 **Disk Utility** 或 `hdiutil` 创建加密卷: $ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 1g -volname "Name" -fs JHFS+ -Also see the following applications and services: [SpiderOak](https://spideroak.com/), [Arq](https://www.arqbackup.com/), [Espionage](https://www.espionageapp.com/), and [restic](https://restic.github.io/). +也可以考虑使用下面的应用和服务:[SpiderOak](https://spideroak.com/)、[Arq](https://www.arqbackup.com/)、[Espionage](https://www.espionageapp.com/) 和 [restic](https://restic.github.io/)。 ## Wi-Fi -macOS remembers access points it has connected to. Like all wireless devices, the Mac will broadcast all access point names it remembers (e.g., *MyHomeNetwork*) each time it looks for a network, such as when waking from sleep. +macOS 会记住它连接过的接入点。比如所有无线设备,每次搜寻网络的时候,Mac 将会显示所有它记住的接入点名称(如,*MyHomeNetwork*) ,比如每次从休眠状态唤醒设备的时候。 -This is a privacy risk, so remove networks from the list in **System Preferences** > **Network** > **Advanced** when they're no longer needed. +这就有泄漏隐私的风险,所以当不再需要的时候最好从列表中移除这些连接过的网络, 在 **System Preferences** > **Network** > **Advanced** 。 -Also see [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](http://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf) and [Wi-Fi told me everything about you](http://confiance-numerique.clermont-universite.fr/Slides/M-Cunche-2014.pdf) (pdf). +看看 [Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes](http://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf) (pdf) 和 [Wi-Fi told me everything about you](http://confiance-numerique.clermont-universite.fr/Slides/M-Cunche-2014.pdf) (pdf)。 -Saved Wi-Fi information (SSID, last connection, etc.) can be found in `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` +保存的 Wi-Fi 信息 (SSID、最后一次连接等)可以在 `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` 中找到。 -You may wish to [spoof the MAC address](https://en.wikipedia.org/wiki/MAC_spoofing) of your network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting: +你可能希望在连接到新的和不可信的无线网络之前[伪造网卡 MAC 地址](https://en.wikipedia.org/wiki/MAC_spoofing),以减少被动特征探测: $ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%') -**Note** MAC addresses will reset to hardware defaults on each boot. +**注意**每次启动,MAC 地址将重置为硬件默认地址。 -Also see [feross/SpoofMAC](https://github.com/feross/SpoofMAC). +了解下 [feross/SpoofMAC](https://github.com/feross/SpoofMAC). -Finally, WEP protection on wireless networks is [not secure](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) and you should favor connecting to **WPA2** protected networks only to mitigate the risk of passive eavesdroppers. +最后,WEP 保护在无线网络是[不安全](http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/) 的,你应该尽量选择连接 **WPA2** 保护网络,可以减少被窃听的风险。 ## SSH -For outgoing ssh connections, use hardware- or password-protected keys, [set up](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/) remote hosts and consider [hashing](http://nms.csail.mit.edu/projects/ssh/) them for added privacy. +对于向外的 ssh 连接,使用硬件或密码保护的秘钥,[设置](http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/)远程 hosts 并考虑对它们进行[哈希](http://nms.csail.mit.edu/projects/ssh/),以增强安全性。 -Here are several recommended [options](https://www.freebsd.org/cgi/man.cgi?query=ssh_config&sektion=5) to add to `~/.ssh/config`: +将这几个[配置项](https://www.freebsd.org/cgi/man.cgi?query=ssh_config&sektion=5)加到 `~/.ssh/config`: Host * PasswordAuthentication no ChallengeResponseAuthentication no HashKnownHosts yes -**Note** [macOS Sierra permanently remembers SSH key passphrases by default](https://openradar.appspot.com/28394826). Append the option `UseKeyChain no` to turn this feature off. +**注意** [macOS Sierra 默认永久记住 SSH 秘钥密码](https://openradar.appspot.com/28394826)。添加配置 `UseKeyChain no` 来关闭这项功能。 -You can also use ssh to create an [encrypted tunnel](http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html) to send your traffic through, which is similar to a VPN. +你也可以用 ssh 创建一个[加密隧道](http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html) 来发送数据,这有点类似于 VPN。 -For example, to use Privoxy on a remote host: +例如,在一个远程主机上使用 Privoxy: $ ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld @@ -1383,21 +1383,21 @@ For example, to use Privoxy on a remote host: $ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555 -Or to use an ssh connection as a [SOCKS proxy](https://www.mikeash.com/ssh_socks.html): +或者使用 ssh 连接作为 [SOCKS 代理](https://www.mikeash.com/ssh_socks.html): $ ssh -NCD 3000 you@remote-host.tld -By default, macOS does **not** have sshd or *Remote Login* enabled. +默认情况下, macOS **没有** sshd ,也不允许**远程登陆**。 -To enable sshd and allow incoming ssh connections: +启用 sshd 且允许进入的 ssh 连接: $ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist -Or use the **System Preferences** > **Sharing** menu. +或者设置 **System Preferences** > **Sharing** 菜单。 -If you are going to enable sshd, at least disable password authentication and consider further [hardening](https://stribika.github.io/2015/01/04/secure-secure-shell.html) your configuration. +如果你准备使用 sshd,至少禁用密码身份验证并考虑进一步[强化](https://stribika.github.io/2015/01/04/secure-secure-shell.html)配置。 -To `/etc/sshd_config`, add: +找到 `/etc/sshd_config`,添加: ``` PasswordAuthentication no @@ -1405,27 +1405,28 @@ ChallengeResponseAuthentication no UsePAM no ``` - Confirm whether sshd is enabled or disabled: +确认 sshd 是否启用: $ sudo lsof -Pni TCP:22 -## Physical access +## 物理访问 -Keep your Mac physically secure at all times. Don't leave it unattended in hotels and such. +时刻保证 Mac 物理安全。不要将 Mac 留在无人照看的酒店之类的地方。 -A skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password - see [Thunderstrike](https://trmm.net/Thunderstrike), for example. +有一种攻击就是通过物理访问,通过注入引导 ROM 来安装键盘记录器,偷走你的密码。看看这个案例 [Thunderstrike](https://trmm.net/Thunderstrike)。 -A helpful tool is [usbkill](https://github.com/hephaest0s/usbkill), which is *"an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer"*. +有个工具 [usbkill](https://github.com/hephaest0s/usbkill) 可以帮助你,这是**"一个反监视断路开关,一旦发现 USB 端口发生改变就会关闭你的计算机"**。 -Consider purchasing a [privacy filter](https://www.amazon.com/s/ref=nb_sb_noss_2?url=node%3D15782001&field-keywords=macbook) for your screen to thwart shoulder surfers. +考虑购买屏幕[隐私过滤器](https://www.amazon.com/s/ref=nb_sb_noss_2?url=node%3D15782001&field-keywords=macbook)防止别人偷瞄。 -## System monitoring -#### OpenBSM audit +## 系统监控 -macOS has a powerful OpenBSM auditing capability. You can use it to monitor process execution, network activity, and much more. +#### OpenBSM 监测 -To tail audit logs, use the `praudit` utility: +macOS 具有强大的 OpenBSM 审计功能。你可以使用它来监视进程执行,网络活动等等。 + +跟踪监测日志,使用 `praudit` 工具: ``` $ sudo praudit -l /dev/auditpipe @@ -1434,49 +1435,49 @@ header,88,11,connect(2),0,Thu Sep 1 12:00:00 2015, + 238 msec,argument,1,0x5,fd header,111,11,OpenSSH login,0,Thu Sep 1 12:00:00 2015, + 16 msec,subject_ex,drduh,drduh,staff,drduh,staff,404,404,49271,::1,text,successful login drduh,return,success,0,trailer,111, ``` -See the manual pages for `audit`, `praudit`, `audit_control` and other files in `/etc/security` +看看 `audit`、`praudit`、`audit_control` 的操作手册,其它文件在 `/etc/security`目录下。 -**Note** although `man audit` says the `-s` flag will synchronize the audit configuration, it appears necessary to reboot for changes to take effect. +**注意** 虽然 `audit 手册` 上说 `-s` 标签会立即同步到配置中,实际上需要重启才能生效。 -See articles on [ilostmynotes.blogspot.com](http://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html) and [derflounder.wordpress.com](https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/) for more information. +更多信息请看 [ilostmynotes.blogspot.com](http://ilostmynotes.blogspot.com/2013/10/openbsm-auditd-on-os-x-these-are-logs.html) 和 [derflounder.wordpress.com](https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/) 上的文章。 #### DTrace -`iosnoop` monitors disk I/O +`iosnoop` 监控磁盘 I/O -`opensnoop` monitors file opens +`opensnoop` 监控文件打开 -`execsnoop` monitors execution of processes +`execsnoop` 监控进程执行 -`errinfo` monitors failed system calls +`errinfo` 监控失败的系统调用 -`dtruss` monitors all system calls +`dtruss` 监控所有系统调用 -See `man -k dtrace` for more information. +运行命令 `man -k dtrace` 去了解更多信息。 -**Note** [System Integrity Protection](https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection) [interferes](http://internals.exposed/blog/dtrace-vs-sip.html) with DTrace, so it may no longer be possible to use these tools. +**注意** [系统完整性保护](https://github.com/drduh/OS-X-Security-and-Privacy-Guide#system-integrity-protection)和 DTrace [冲突](http://internals.exposed/blog/dtrace-vs-sip.html), 所以这些工具可能用不上了。 -#### Execution +#### 运行 -`ps -ef` lists information about all running processes. +`ps -ef` 列出所有正在运行的进程。 -You can also view processes with **Activity Monitor**. +你也可以通过**活动监视器**来查看进程。 -`launchctl list` and `sudo launchctl list` list loaded and running user and system launch daemons and agents. +`launchctl list` 和 `sudo launchctl list` 分别列出用户运行和加载的程序,系统启动守护程序和代理。 -#### Network +#### 网络 -List open network files: +列出公开网络文件: $ sudo lsof -Pni -List contents of various network-related data structures: +列出各种网络相关的数据结构的内容: $ sudo netstat -atln -You can also use [Wireshark](https://www.wireshark.org/) from the command line. +你也可以通过命令行使用 [Wireshark](https://www.wireshark.org/)。 -Monitor DNS queries and replies: +监控 DNS 查询和响应: ``` $ tshark -Y "dns.flags.response == 1" -Tfields \ @@ -1486,7 +1487,7 @@ $ tshark -Y "dns.flags.response == 1" -Tfields \ -Eseparator=, ``` -Monitor HTTP requests and responses: +监控 HTTP 请求和响应: ``` $ tshark -Y "http.request or http.response" -Tfields \ @@ -1498,7 +1499,7 @@ $ tshark -Y "http.request or http.response" -Tfields \ -Eseparator=/s ``` -Monitor x509 certificates: +监控 x509 证书: ``` $ tshark -Y "ssl.handshake.certificate" -Tfields \ @@ -1511,17 +1512,17 @@ $ tshark -Y "ssl.handshake.certificate" -Tfields \ -Eseparator=/s -Equote=d ``` -Also see the simple networking monitoring application [BonzaiThePenguin/Loading](https://github.com/BonzaiThePenguin/Loading) +也可以考虑简单的网络监控程序 [BonzaiThePenguin/Loading](https://github.com/BonzaiThePenguin/Loading)。 -## Miscellaneous +## 其它 -If you wish, disable [Diagnostics & Usage Data](https://github.com/fix-macosx/fix-macosx/wiki/Diagnostics-&-Usage-Data). +如果你想的话,禁用[诊断与用量](https://github.com/fix-macosx/fix-macosx/wiki/Diagnostics-&-Usage-Data). -If you want to play **music** or watch **videos**, use [VLC media player](https://www.videolan.org/vlc/index.html) which is free and open source. +如果你想播放**音乐**或看**视频**,使用 [VLC 播放器](https://www.videolan.org/vlc/index.html),这是免费且开源的。 -If you want to use **torrents**, use [Transmission](http://www.transmissionbt.com/download/) which is free and open source (note: like all software, even open source projects, [malware may still find its way in](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/)). You may also wish to use a block list to avoid peering with known bad hosts - see [Which is the best blocklist for Transmission](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) and [johntyree/3331662](https://gist.github.com/johntyree/3331662). +如果你想用 **torrents**, 使用免费、开源的 [Transmission](http://www.transmissionbt.com/download/)(注意:所有软件都一样,即使是开源项目,[恶意软件还是可能找到破解的方式](http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/))。你可能希望使用一个块列表来避免和那些已知的坏主机配对,了解下 [Transmission 上最好的块列表](https://giuliomac.wordpress.com/2014/02/19/best-blocklist-for-transmission/) 和 [johntyree/3331662](https://gist.github.com/johntyree/3331662)。 -Manage default file handlers with [duti](http://duti.org/), which can be installed with `brew install duti`. One reason to manage extensions is to prevent auto-mounting of remote filesystems in Finder (see [Protecting Yourself From Sparklegate](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/)). Here are several recommended handlers to manage: +用 [duti](http://duti.org/) 管理默认文件处理,可以通过 `brew install duti` 来安装。管理扩展的原因之一是为了防止远程文件系统在 Finder 中自动挂载。 ([保护自己免受 Sparkle 后门影响](https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/))。这里有几个推荐的管理指令: ``` $ duti -s com.apple.Safari afp @@ -1533,73 +1534,73 @@ $ duti -s com.apple.Safari nfs $ duti -s com.apple.Safari smb ``` -Monitor system logs with the **Console** application or `syslog -w` or `log stream` commands. +使用**控制台**应用程序来监控系统日志,也可以用 `syslog -w` 或 `log stream` 命令。 -In systems prior to macOS Sierra (10.12), enable the [tty_tickets flag](https://derflounder.wordpress.com/2016/09/21/tty_tickets-option-now-on-by-default-for-macos-sierras-sudo-tool/) in `/etc/sudoers` to restrict the sudo session to the Terminal window/tab that started it. To do so, use `sudo visudo` and add the line `Defaults tty_tickets`. +在 macOS Sierra (10.12) 之前的系统,在 `/etc/sudoers`启用 [tty_tickets flag](https://derflounder.wordpress.com/2016/09/21/tty_tickets-option-now-on-by-default-for-macos-sierras-sudo-tool/) 来阻止 sudo 会话在其它终端生效。使用命令 `sudo visudo` 然后添加一行 `Defaults tty_tickets` 就可以了。 -Set your screen to lock as soon as the screensaver starts: +设置进入休眠状态时马上启动屏幕保护程序: $ defaults write com.apple.screensaver askForPassword -int 1 $ defaults write com.apple.screensaver askForPasswordDelay -int 0 -Expose hidden files and Library folder in Finder: +在 Finder 中显示隐藏文件和文件夹: $ defaults write com.apple.finder AppleShowAllFiles -bool true $ chflags nohidden ~/Library -Show all filename extensions (so that "Evil.jpg.app" cannot masquerade easily). +显示所有文件扩展名(这样 "Evil.jpg.app" 就无法轻易伪装了)。 $ defaults write NSGlobalDomain AppleShowAllExtensions -bool true -Don't default to saving documents to iCloud: +不要默认将文档保存到 iCloud: $ defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false -Enable [Secure Keyboard Entry](https://security.stackexchange.com/questions/47749/how-secure-is-secure-keyboard-entry-in-mac-os-xs-terminal) in Terminal (unless you use [YubiKey](https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys) or applications such as [TextExpander](https://smilesoftware.com/textexpander/secureinput)). +在终端启用[安全键盘输入](https://security.stackexchange.com/questions/47749/how-secure-is-secure-keyboard-entry-in-mac-os-xs-terminal) (除非你用 [YubiKey](https://mig5.net/content/secure-keyboard-entry-os-x-blocks-interaction-yubikeys) 或者像 [TextExpander](https://smilesoftware.com/textexpander/secureinput) 这样的程序)。 -Disable crash reporter (the dialog which appears after an application crashes and prompts to report the problem to Apple): +禁用崩溃报告(就是那个在程序崩溃后,会出现提示将问题报告给苹果的提示框): $ defaults write com.apple.CrashReporter DialogType none -Disable Bonjour [multicast advertisements](https://www.trustwave.com/Resources/SpiderLabs-Blog/mDNS---Telling-the-world-about-you-(and-your-device)/): +禁用 Bonjour [多播广告](https://www.trustwave.com/Resources/SpiderLabs-Blog/mDNS---Telling-the-world-about-you-(and-your-device)/): $ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES -[Disable Handoff](https://apple.stackexchange.com/questions/151481/why-is-my-macbook-visibile-on-bluetooth-after-yosemite-install) and Bluetooth features, if they aren't necessary. +如果用不上的话,[禁用 Handoff](https://apple.stackexchange.com/questions/151481/why-is-my-macbook-visibile-on-bluetooth-after-yosemite-install) 和蓝牙功能。 -Consider [sandboxing](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html) your applications. See [fG! Sandbox Guide](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf) (pdf) and [s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles). +考虑 [sandboxing](https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/sandbox-exec.1.html) 你的应用程序。 了解下 [fG! Sandbox Guide](https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v0.1.pdf) (pdf) 和 [s7ephen/OSX-Sandbox--Seatbelt--Profiles](https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles)。 -Did you know Apple has not shipped a computer with TPM since [2006](http://osxbook.com/book/bonus/chapter10/tpm/)? +你知道苹果公司自 [2006](http://osxbook.com/book/bonus/chapter10/tpm/) 后就不再出售带 TPM 的电脑了吗? -## Related software +## 相关软件 -[Santa](https://github.com/google/santa/) - A binary whitelisting/blacklisting system for Mac OS X. +[Santa](https://github.com/google/santa/) - Mac OS X 上一个带二进制白名单/黑名单监控系统的软件。 -[kristovatlas/osx-config-check](https://github.com/kristovatlas/osx-config-check) - checks your OSX machine against various hardened configuration settings. +[kristovatlas/osx-config-check](https://github.com/kristovatlas/osx-config-check) - 检查你的 OSX 设备各种硬件配置设置。 -[Lockdown](https://objective-see.com/products/lockdown.html) - audits and remediates security configuration settings. +[Lockdown](https://objective-see.com/products/lockdown.html) - 审查和修正安全配置。 -[Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - scan for applications that are either susceptible to dylib hijacking or have been hijacked. +[Dylib Hijack Scanner](https://objective-see.com/products/dhs.html) - 扫描那些容易被劫持或已经被黑的应用。 -[Little Flocker](https://www.littleflocker.com/) - "Little Snitch for files"; prevents applications from accessing files. +[Little Flocker](https://www.littleflocker.com/) - "Little Snitch for files", 防止应用程序访问文件。 -[facebook/osquery](https://github.com/facebook/osquery) - can be used to retrieve low level system information. Users can write SQL queries to retrieve system information. +[facebook/osquery](https://github.com/facebook/osquery) - 可以检索系统底层信息。用户可以编写 SQL 来查询系统信息。 -[google/grr](https://github.com/google/grr) - incident response framework focused on remote live forensics. +[google/grr](https://github.com/google/grr) - 事件响应框架侧重于远程现场取证。 -[yelp/osxcollector](https://github.com/yelp/osxcollector) - forensic evidence collection & analysis toolkit for OS X. +[yelp/osxcollector](https://github.com/yelp/osxcollector) - 证据收集 & OS X 分析工具包。 -[jipegit/OSXAuditor](https://github.com/jipegit/OSXAuditor) - analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names. +[jipegit/OSXAuditor](https://github.com/jipegit/OSXAuditor) - 分析运行系统时的部件,比如隔离的文件, Safari、 Chrome 和 Firefox 历史记录, 下载, HTML5 数据库和本地存储、社交媒体、电子邮件帐户、和 Wi-Fi 接入点的名称。 -[libyal/libfvde](https://github.com/libyal/libfvde) - library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. +[libyal/libfvde](https://github.com/libyal/libfvde) - 访问 FileVault Drive Encryption (FVDE) (或 FileVault2) 加密卷的库。 -[CISOfy/lynis](https://github.com/CISOfy/lynis) - cross-platform security auditing tool and assists with compliance testing and system hardening. +[CISOfy/lynis](https://github.com/CISOfy/lynis) - 跨平台安全审计工具,并协助合规性测试和系统强化。 -## Additional resources +## 其它资源 -*In no particular order* +*排名不分先后* [MacOS Hardening Guide - Appendix, Mac OS X and iOS Internals](http://newosxbook.com/files/moxii3/AppendixA.pdf)