Total Pageviews

Wednesday, 6 July 2016

mac机器的安全指南

This is a collection of thoughts on securing a modern Apple Mac computer using OS X 10.11 "El Capitan", as well as steps to improving online privacy.
This guide is targeted to “power users” who wish to adopt enterprise-standard security, but is also suitable for novice users with an interest in improving their privacy and security on a Mac.
There is no security silver bullet. A system is only as secure as its administrator is capable of making it.
I am not responsible if you break a Mac by following any of these steps.
If you wish to make a correction or improvement, please send a pull request or open an issue.

Basics

The standard best security practices apply:
  • Create a threat model
    • What are you trying to protect and from whom? Is your adversary a three letter agency (if so, you may want to consider using OpenBSD instead), a nosy eavesdropper on the network, or determined apt orchestrating a campaign against you?
    • Study and recognize threats and how to reduce attack surface.
  • Keep the system up to date
    • Patch, patch, patch your system and software.
    • Subscribe to announcement mailing lists (e.g., Apple security-announce) for programs you use often.
  • Encrypt sensitive data
    • In addition to full disk encryption, create one or many encrypted containers to store passwords, keys and personal documents.
    • This will mitigate damage in case of compromise and data exfiltration.
  • Frequent backups
    • Create regular backups of your data and be ready to reimage in case of compromise.
    • Always encrypt before copying backups to external media or the "cloud".
  • Click carefully
    • Ultimately, the security of a system can be reduced to its administrator.
    • Care should be taken when installing new software. Always prefer free and open source software (which OS X is not).

Preparing and Installing OS X

There are several ways to install a fresh copy of OS X.
The simplest way is to boot into Recovery Mode by holding Command and R keys at boot. A system image can be downloaded and applied directly from Apple. However, this way exposes the computer's serial number and other identifying information to Apple.
Another way is to download OS X El Capitan from the App Store or some other place and create a custom, installable system image.
The application is code signed, which should be verified to make sure you received a legitimate copy:
$ codesign -dvv /Applications/Install\ OS\ X\ El\ Capitan.app
Executable=/Applications/Install OS X El Capitan.app/Contents/MacOS/InstallAssistant
Identifier=com.apple.InstallAssistant.ElCapitan
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=280 flags=0x200(kill) hashes=4+5 location=embedded
Signature size=4167
Authority=Apple Mac OS Application Signing
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Info.plist entries=31
TeamIdentifier=K36BKF7T3D
Sealed Resources version=2 rules=7 files=152
Internal requirements count=1 size=124
OS X installers can be made with the createinstallmedia utility included in Install OS X El Capitan.app/Contents/Resources/. See Create a bootable installer for OS X Yosemite, or run the utility without arguments to see how it works.
Note Apple's installer does not appear to work across OS versions. If you want to build a 10.9 image, for example, the following steps must be run on a 10.9 machine.
To create a bootable USB OS X installer, mount a disk and erase it to default options in Disk Utility, then:
$ cd /Applications/Install\ OS\ X\ El\ Capitan.app
$ sudo ./Contents/Resources/createinstallmedia --volume /Volumes/Untitled --applicationpath /Applications/Install\ OS\ X\ El\ Capitan.app --nointeraction
Erasing Disk: 0%... 10%... 20%... 30%... 100%...
Copying installer files to disk...
Copy complete.
Making disk bootable...
Copying boot files...
Copy complete.
Done.
Otherwise, to create a custom installable image which can be restored to a Mac, you will need to find the fileInstallESD.dmg, which is also inside Install OS X El Capitan.app.
Right click, select Show Package Contents and navigate to Contents > SharedSupport to find InstallESD.dmg.
You can verify the following cryptographic hashes to ensure you have the same, authentic copy by using a command likeshasum -a256 InstallESD.dmg and so on.
You can also Google these hashes to ensure your copy is genuine and has not been tampered with.
See InstallESD_Hashes.csv in this repository for a list of current and previous build hashes.
Mount and install the operating system to a temporary image, or use the GUI app MagerValp/AutoDMG:
$ hdiutil attach -noverify -mountpoint /tmp/installesd ./InstallESD.dmg
$ hdiutil create -size 32g -type SPARSE -fs HFS+J -volname "OS X" -uid 0 -gid 80 -mode 1775 /tmp/output.sparseimage
$ hdiutil attach -noverify -mountpoint /tmp/os -owners on /tmp/output.sparseimage
$ sudo installer -pkg /tmp/installesd/Packages/OSInstall.mpkg -tgt /tmp/os
This part will take a while, so just be patient. You can tail -F /var/log/install.log to check progress.
Optionally, install any other packages to the image, such as Wireshark:
$ hdiutil mount Wireshark\ 2.0.1\ Intel\ 64.dmg
$ sudo installer -pkg /Volumes/Wireshark/Wireshark\ 2.0.1\ Intel\ 64.pkg -tgt /tmp/os
$ hdiutil unmount /Volumes/Wireshark
See MagerValp/AutoDMG/wiki/Packages-Suitable-for-Deployment for caveats and check out chilcote/outset to instead processes packages and scripts at first boot.
When you're done, detach, convert and verify the image:
$ hdiutil detach /tmp/os
$ hdiutil detach /tmp/installesd
$ hdiutil convert -format UDZO /tmp/output.sparseimage -o ~/elcap.dmg
$ asr imagescan --source ~/elcap.dmg
Now, elcap.dmg is ready to be applied to one or multiple Macs. You can further customize the image to include premade users, applications and preferences to your liking.
This image can be installed using another Mac in Target Disk Mode.
To use Target Disk Mode, boot up the Mac you wish to image while holding T and connect it to another using Firewire, Thunderbolt or USB-C.
If you don't have another Mac, boot to a USB installer, with elcap.dmg and other required files copied to it, by holding theOption key at boot.
Run diskutil list to identify the connected disk, usually /dev/disk2
Erase the disk to Journaled HFS+:
$ diskutil unmountDisk /dev/disk2
$ diskutil partitionDisk /dev/disk2 1 JHFS+ OSX 100%
Restore the image to the new volume:
$ sudo asr restore --source ~/elcap.dmg --target /Volumes/OSX --erase --noverify --buffersize 4m
Alternatively, use the Disk Utility application to erase the connected Mac's disk, then restore elcap.dmg to the new partition.
If you've followed these steps correctly, the target Mac should now have a new install of OS X.
If you want to transfer any files, copy them to a folder like /Users/Shared on the mounted disk image, e.g. cp Xcode_7.0.dmg /Volumes/OS\ X/Users/Shared
Finished restore install from USB recovery boot
Finished restore install from USB recovery boot
We're not done yet! Unless you have built the image with AutoDMG, or installed OS X to a second partition on your Mac, you will need to create a recovery partition. You can do so using MagerValp/Create-Recovery-Partition-Installer or using the following manual steps:
RecoveryHDUpdate.dmg

SHA-256: f6a4f8ac25eaa6163aa33ac46d40f223f40e58ec0b6b9bf6ad96bdbfc771e12c
SHA-1:   1ac3b7059ae0fcb2877d22375121d4e6920ae5ba
Attach and expand the installation, then run it:
$ hdiutil attach RecoveryHDUpdate.dmg
$ pkgutil --expand /Volumes/Mac\ OS\ X\ Lion\ Recovery\ HD\ Update/RecoveryHDUpdate.pkg /tmp/recovery
$ hdiutil attach /tmp/recovery/RecoveryHDUpdate.pkg/RecoveryHDMeta.dmg
$ /tmp/recovery/RecoveryHDUpdate.pkg/Scripts/Tools/dmtest ensureRecoveryPartition /Volumes/OS\ X/ /Volumes/Recovery\ HD\ Update/BaseSystem.dmg 0 0 /Volumes/Recovery\ HD\ Update/BaseSystem.chunklist
Replace /Volumes/OS\ X with the path to the target disk mode-booted Mac.
This step will take several minutes. Run diskutil list again to make sure Recovery HD now exists.
Once you're done, eject the disk with hdiutil unmount /Volumes/OS\ X and power down the connected Mac.

First boot

On first boot, hold Command Option P and R keys to clear NVRAM.
Wait for the loud, obnoxious gong and keep holding while the Mac reboots once.
When OS X first starts, you'll be greeted by Setup Assistant.
Do not connect to networking yet; skip that part of the setup for now.
When creating your account, use a strong password without a hint.
Don't use your real name for your account as it'll show up as So-and-so's Macbook through sharing services to local networks.

Full disk encryption

Filevault provides full disk (technically, full volume) encryption on OS X.
Filevault encryption will protect data at rest and prevent someone with physical access from stealing data or tampering with your Mac.
With much crypto happening in hardware, the performance penalty for Filevault is not noticeable.
The security of Filevault 2 greatly depends on the pseudo random number generator (PRNG).
The random device implements the Yarrow pseudo random number generator algorithm and maintains its entropy pool. Additional entropy is fed to the generator regularly by the SecurityServer daemon from random jitter measurements of the kernel.
SecurityServer is also responsible for periodically saving some entropy to disk and reloading it during startup to provide entropy in early system operation.
See man 4 random for more information.
The PRNG can be manually seeded with entropy by writing to /dev/random before enabling Filevault 2. This can be done by simply using the Mac for a little while before activating Filevault 2.
Enable Filevault with sudo fdesetup enable or using System Preferences and reboot.
If you can remember your password, there's no reason to save the recovery key. However, your encrypted data will be lost forever if you can't remember the password or recovery key.
If you want to know more about how Filevault 2 works, see the paper Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption [pdf] and related presentation [PDF].
You may wish to enforce hibernation and evict Filevault keys from memory instead of traditional sleep to memory:
$ sudo pmset -a destroyfvkeyonstandby 1
$ sudo pmset -a hibernatemode 25
All computers have firmware of some type—EFI, BIOS—to help in the discovery of hardware components and ultimately to properly bootstrap the computer using the desired OS instance. In the case of Apple hardware and the use of EFI, Apple stores relevant information within EFI to aid in the functionality of OS X. For example, the FileVault key is stored in EFI to transparently come out of standby mode.
Organizations especially sensitive to a high-attack environment, or potentially exposed to full device access when the device is in standby mode, should mitigate this risk by destroying the FileVault key in firmware. Doing so doesn’t destroy the use of FileVault, but simply requires the user to enter the password in order for the system to come out of standby mode.

Firmware password

Setting a firmware password in OS X prevents your Mac from starting up from any device other than your startup disk. It can also be helpful if your laptop is stolen, as the only way to reset the firmware password is through an Apple Store (or is it?).
  1. Start up holding the Command and R keys to boot from OS X Recovery mode.
  2. When the Recovery window appears, choose Firmware Password Utility from the Utilities menu.
  3. In the Firmware Utility window that appears, select Turn On Firmware Password.
  4. Enter a new password, then enter the same password in the Verify field.
  5. Select Set Password.
  6. Select Quit Firmware Utility to close the Firmware Password Utility.
  7. Select the Apple menu and choose Restart or Shutdown.
The firmware password will activate at next boot. To validate the password, hold alt during boot - you should be prompted to enter the password.

Firewall

Before connecting to the Internet, it's a good idea to first configure a firewall.
There are several types of firewall for OS X.

Application layer firewall

Built-in, basic firewall which blocks incoming connections only.
Note, this firewall does not have the ability to monitor, nor block outgoing connections.
It can be controlled by the Firewall tab of Security & Privacy in System Preferences, or with the following commands.
Enable the firewall:
$ sudo defaults write /Library/Preferences/com.apple.alf globalstate -bool true
Enable logging:
$ sudo defaults write /Library/Preferences/com.apple.alf loggingenabled -bool true
You may also wish to enable stealth mode:
$ sudo defaults write /Library/Preferences/com.apple.alf stealthenabled -bool true
Computer hackers scan networks so they can attempt to identify computers to attack. You can prevent your computer from responding to some of these scans by using stealth mode. When stealth mode is enabled, your computer does not respond to ICMP ping requests, and does not answer to connection attempts from a closed TCP or UDP port. This makes it more difficult for attackers to find your computer.
Finally, you may wish to disable feature, Automatically allow signed software to receive incoming connections:
$ sudo defaults write /Library/Preferences/com.apple.alf allowsignedenabled -bool false
Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in OS X are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall.
If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose Allow, OS X signs the application and automatically adds it to the firewall list. If you choose Deny, OS X adds it to the list but denies incoming connections intended for this app.

Third party firewalls

Programs such as Little SnitchHands OffRadio Silence and Security Growler provide a good balance of usability and security.
Example of Little Snitch monitored session
Example of Little Snitch-monitored session
These programs are capable of monitoring and blocking incoming and outgoing network connections. However, they may require the use of a closed source kernel extension.
If the number of choices of allowing/blocking network connections is overwhelming, use Silent Mode with connections allowed, then periodically check your settings to gain understanding of what various applications are doing.
It is worth noting that these firewalls can be bypassed by programs running as root or through OS vulnerabilities [pdf], but they are still worth having - just don't expect absolute protection.

Kernel level packet filtering

A highly customizable, powerful, but also most complicated firewall exists in the kernel. It can be controlled with pfctl and various configuration files.
pf also be controlled with a GUI application such as IceFloor or Murus.
There are many books and articles on the subject of pf firewall. Here's is just one example of blocking traffic by IP address.
Put the following into a file called pf.rules:
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0
scrub in all no-df
table <blocklist> persist
block in log
block in log quick from no-route to any
pass out proto tcp from any to any keep state
pass out proto udp from any to any keep state
block log on en0 from {<blocklist>} to any
Use the following commands:
  • sudo pfctl -e -f pf.rules to enable the firewall
  • sudo pfctl -d to disable the firewall
  • sudo pfctl -t blocklist -T add 1.2.3.4 to add hosts to a blocklist
  • sudo pfctl -t blocklist -T show to view the blocklist
  • sudo ifconfig pflog0 create to create an interface for logging
  • sudo tcpdump -ni pflog0 to dump the packets
Unless you're already familiar with packet filtering, spending too much time configuring pf is not recommended. It is also probably unnecessary if your Mac is behind a NAT on a secured home network, for example.
For an example of using pf to audit "phone home" behavior of user and system-level processes, see fix-macosx/net-monitor.

Services

Before you connect to the Internet, you may wish to disable some system services, which use up resources or phone home to Apple.
Services on OS X are managed by launchd. See http://launchd.info/, as well as Apple's Daemons and Services Programming Guide and Technical Note TN2083
You can also run KnockKnock that shows more information about startup items.
  • Use launchctl list to view running user agents
  • Use sudo launchctl list to view running system daemons
  • Specify the service name to examine it, e.g. launchctl list com.apple.Maps.mapspushd
  • Use defaults read to examine job plists in /System/Library/LaunchDaemons and /System/Library/LaunchAgents
  • Use manstrings and Google to learn about what the agent/daemon runs
For example, to learn what a system launch daemon or agent does, start with:
$ defaults read /System/Library/LaunchDaemons/com.apple.apsd.plist
Look at the Program or ProgramArguments section to see which binary is run, in this case apsd. To find more information about that, look at the man page with man apsd
For example, if you're not interested in Apple Push Notifications, disable the service:
$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.apsd.plist
Note Unloading services may break usability of some applications. Read the manual pages and use Google to make sure you understand what you're doing first.
Be careful about disabling any system daemons you don't understand, as it may render your system unbootable. If you break your Mac, use single user mode to fix it.
Use Console and Activity Monitor applications if you notice your Mac heating up, feeling slugging, or generally misbehaving, as it may have resulted from your tinkering.
To view currently disabled services:
$ find /var/db/com.apple.xpc.launchd/ -type f -print -exec defaults read {} \; 2>/dev/null
Annotated lists of launch daemons and agents, the respective program executed, and the programs' hash sums are included in this repository.
You may run the read_launch_plists.py script and diff output to check for any discrepancies on your system, e.g.:
$ diff <(python read_launch_plists.py) <(cat 14F27_launchd.csv)
See also cirrusj.github.io/Yosemite-Stop-Launch for descriptions of services and Provisioning OS X and Disabling Unnecessary Services for another explanation.

Spotlight Suggestions

Disable “Spotlight Suggestions” in both the Spotlight preferences and Safari's Search preferences to avoid your search queries being sent to Apple.
Also disable "Bing Web Searches" in the Spotlight preferences to avoid your search queries being sent to Microsoft.
See fix-macosx.com for detailed instructions.
If you've upgraded to Mac OS X Yosemite (10.10) and you're using the default settings, each time you start typing in Spotlight (to open an application or search for a file on your computer), your local search terms and location are sent to Apple and third parties (including Microsoft).
Speaking of Microsoft, you may want to see https://fix10.isleaked.com/ just for fun.

Homebrew

Consider using Homebrew to make software installations easier and to update userland tools (see Apple’s great GPL purge).
If you have not already installed Xcode or Command Line Tools, run xcode-select --install and a prompt should appear to download and install CLI Tools.
To install Homebrew:
$ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Or, see homebrew/Installation.md for other installation options.
Homebrew uses SSL/TLS to talk with github and verifies checksums of downloaded packages, so it's fairly secure.
Alternatively, you could download, compile and install software directly from their respective open source repositories.
Remember to periodically run brew update and brew upgrade on trusted, secure networks to install software updates.
According to Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md, Homebrew will start logging user behaviour trough Google Analytics.
The documentation says the user can opt-out by including an environment variable HOMEBREW_NO_ANALYTICS=1. Include that on your .bashrcor .zshrc.

DNS

Hosts file

Use the hosts file to block known malware, advertising or otherwise unwanted domains.
Edit the hosts file as root, for example with sudo vi /etc/hosts. The hosts file can also be managed with the GUI app2ndalpha/gasmask.
To block a domain, just add 0 facebook.com (0 means 0.0.0.0, a null route).
There are many lists of domains available online which you can paste in, just make sure each line starts with 0 or127.0.0.1, and the line 127.0.0.1 localhost is included.

dnsmasq

Among other features, dnsmasq is able to cache replies, prevent upstreaming queries for unqualified names, and block entire TLDs.
Use in combination with dnscrypt to additionally encrypt outgoing DNS traffic.
If you don't wish to use dnscrypt, you should at least use DNS not provided by your ISP. Two popular alternatives areGoogle DNS and OpenDNS.
DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity. All answers from DNSSEC protected zones are digitally signed. The signed records are authenticated via a chain of trust, starting with a set of verified public keys for the DNS root-zone. The current root-zone trust anchors may be downloaded from IANA website. There are a number of resources on DNSSEC, but probably the best one is dnssec.net website.
Install dnsmasq (dnssec is optional):
$ brew install dnsmasq --with-dnssec
$ mkdir -p /usr/local/etc
$ cp /usr/local/opt/dnsmasq/dnsmasq.conf.example /usr/local/etc/dnsmasq.conf
Edit the configuration:
$ vim /usr/local/etc/dnsmasq.conf
Have a look through the commented-out options. Here are a few recommended settings to enable:
# Forward queries to dnscrypt on localhost
server=127.0.0.1#5355

# Never forward plain names
domain-needed

# Examples of blocking TLDs or subdomains
address=/.onion/0.0.0.0
address=/.local/0.0.0.0
address=/.mycoolnetwork/0.0.0.0
address=/.facebook.com/0.0.0.0

# Never forward addresses in the non-routed address spaces
bogus-priv

# Reject private addresses from upstream nameservers
stop-dns-rebind

# Query servers in order
strict-order

# Set the size of the cache
# The default is to keep 150 hostnames
cache-size=8192

# Optional logging directives
log-async
log-dhcp
log-queries
log-facility=/var/log/dnsmasq.log

# DNSSEC options
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
dnssec-check-unsigned
Install and start the program:
$ sudo cp -fv /usr/local/opt/dnsmasq/*.plist /Library/LaunchDaemons
$ sudo chown root /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
$ sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
Open System Preferences > Network and select the active interface, then the DNS tab, select + and add 127.0.0.1 as a DNS server, or use the command:
$ sudo networksetup -setdnsservers "Wi-Fi" 127.0.0.1
Make sure dnsmasq is running with sudo lsof -ni UDP:53 and is correctly configured with scutil or networksetup:
$ scutil --dns
DNS configuration

resolver #1
  search domain[0] : mycoolnetwork
  nameserver[0] : 127.0.0.1
  flags    : Request A records, Request AAAA records
  reach    : Reachable,Local Address

$ networksetup -getdnsservers "Wi-Fi"
127.0.0.1
Note Some VPN software overrides DNS settings on connect. See issue #24 for more information.
Test DNSSEC validation
Test DNSSEC validation succeeds for signed zones:
$ dig +dnssec icann.org
Reply should have NOERROR status and contain ad flag. For instance,
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47039
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
Test DNSSEC validation fails for zones that are signed improperly:
$ dig www.dnssec-failed.org
Reply should have SERVFAIL status. For instance,
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15190
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

dnscrypt

Use dnscrypt to encrypt DNS traffic to the provider of choice.
If you prefer a GUI application, see alterstep/dnscrypt-osxclient.
Install the program:
$ brew install dnscrypt-proxy
$ sudo cp -fv /usr/local/opt/dnscrypt-proxy/*.plist /Library/LaunchDaemons
$ sudo chown root /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist
If using in combination with dnsmasq, edit /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist to have this line:
<string>--local-address=127.0.0.1:5355</string>
Below the line:
<string>/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy</string>
dnscrypt
Append a local-address line to use dnscrypt on a port other than 53, like 5355.
This can also be done using Homebrew, by installing gnu-sed and using the command:
$ sudo gsed -i "/sbin\\/dnscrypt-proxy<\\/string>/a<string>--local-address=127.0.0.1:5355<\\/string>\n" /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist
By default, the resolvers-list will point to the dnscrypt version specific resolvers file. When dnscrypt is updated, this version may no longer exist, and if it does, may point to an outdated file. This can be fixed by changing the resolvers file in/Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist to the symlinked version in /usr/local/share:
<string>--resolvers-list=/usr/local/share/dnscrypt-proxy/dnscrypt-resolvers.csv</string>
Start the program:
$ sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist
Make sure dnscrypt is running with sudo lsof -ni UDP:5355 or ps -ef | grep '[d]nscrypt'
By default, dnscrypt-proxy runs on localhost (127.0.0.1), port 53, and under the "nobody" user using the dnscrypt.eu-dk DNSCrypt-enabled resolver. If you would like to change these settings, you will have to edit the plist file (e.g., --resolver-address, --provider-name, --provider-key, etc.)
This can be accomplished by editing /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist.
You can run your own dnscrypt server from a trusted location or use one of many public servers instead.
Confirm outgoing dns traffic is encrypted:
$ sudo tcpdump -qtni en0
IP 10.8.8.8.59636 > 77.66.84.233.443: UDP, length 512
IP 77.66.84.233.443 > 10.8.8.8.59636: UDP, length 368

$ dig +short -x 77.66.84.233
resolver2.dnscrypt.eu

Captive portal

When OS X connects to new networks, it probes the network and launches a Captive Portal assistant utility if connectivity can't be determined.
An attacker could trigger the utility and direct a Mac to a site with malware without user interaction, so it's best to disable this feature and log in to captive portals using your regular Web browser, provided you have first disable any custom dns and/or proxy settings.
$ sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false

Certificate authorities

OS X El Capitan comes with over 200 root certificate authorities from for-profit corporations like Apple, Verisign, Thawte, Digicert and government agencies from China, Japan, Netherlands, U.S., and more! These CAs are capable of issuing SSL certificates for any domain or code signing certificates as well.
You can inspect system root certificates in Keychain Access, under the System Roots tab or by using the securitycommand line tool and /System/Library/Keychains/SystemRootCertificates.keychain file.
You can disable certificate authorities through Keychain Access by marking them as Never Trust.
The risk of a man in the middle attack in which a coerced or compromised certificate authority trusted by your system issues a fake/rogue SSL certificate is quite low, but still possible.

OpenSSL

The version of openssl in El Capitan is 0.9.8zg which is not current. It doesn't support TLS 1.1 or newer, elliptic curve ciphers, and more.
Apple claims OpenSSL is deprecated in their Cryptographic Services Guide document. Their version also has patches which may surprise you.
Grab a recent version of OpenSSL with brew install openssl. Note, linking brew to be used in favor of/usr/bin/openssl may interfere with building software. See issue #39.
For example, compare the TLS protocol and cipher between the homebrew version and the system version of OpenSSL,
$ openssl version; echo | openssl s_client -connect github.com:443 2>&1 | grep -A2 SSL-Session
OpenSSL 1.0.2d 9 Jul 2015
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

$ ^openssl^/usr/bin/openssl
OpenSSL 0.9.8zg 14 July 2015
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
Also see Comparison of TLS implementationsHow's My SSLQualys SSL Labs Tools and for detailed explanations and with latest vulnerabilities tests ssl-checker.online-domain-tools.com.

Curl

The version of curl which comes with OS X uses Secure Transport for SSL/TLS validation.
If you prefer to use OpenSSL, install with brew install curl --with-openssl and ensure it's the default with brew link --force curl
Here are several recommended options to add to ~/.curlrc (see man curl for more):
user-agent = "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
referer = ";auto"
connect-timeout = 10
progress-bar
max-time = 90
verbose
show-error
remote-time
ipv4

HTTP

Consider using privoxy as a local proxy to sanitize and customize web browsing traffic.
A signed installation package for privoxy can be downloaded from Sourceforge or silvester.org.uk. The signed package ismore secure than the Homebrew version, and attracts full support from the Privoxy project.
Alternatively, install and start privoxy using Homebrew:
$ brew install privoxy
$ ln -sfv /usr/local/opt/privoxy/*.plist ~/Library/LaunchAgents
$ launchctl load ~/Library/LaunchAgents/homebrew.mxcl.privoxy.plist
By default, privoxy listens on local TCP port 8118.
Set the system http proxy for your active network interface 127.0.0.1 and 8118 (This can be done through System Preferences > Network > Advanced > Proxies):
$ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 8118
Optionally, you can set the system https proxy, which allows for domain name filtering, with
$ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 8118
Confirm the proxy is set with the command scutil --proxy. You can also visit http://p.p/ in a web browser, or:
$ ALL_PROXY=127.0.0.1:8118 curl -I http://p.p/
Privoxy already comes with many good rules, however you can also write your own.
Edit /usr/local/etc/privoxy/user.action to filter elements by domain or with regular expressions, e.g.:
{ +block{unwanted stuff} }
www.facebook.com/(extern|plugins)/(login_status|like(box)?|activity|fan)\.php
.foxnews.com
/cleardot.gif
/.*linkedin.*

{ +block{ad images} +handle-as-image }
/.*1x1.gif
/.*fb-icon.*
/assets/social-.*
/img/social.*

{ +redirect{s@http://@https://@} }
.google.com
code.jquery.com
imgur.com
.wikipedia.org
You can even replace ad images with pictures of kittens by starting the a local web server and redirecting blocked privoxy requests to 127.0.0.1.
Consider logging and monitoring privoxy requests so you can be inspired to write custom rules.

Web browsing

The web browser poses the largest security and privacy risk, as its fundamental job is to download and execute untrusted code from the Internet.
Use Google Chrome for most of your browsing. It offers separate profilesgood sandboxingfrequent updates (including Flash, although you should disable it - see below), and carries impressive credentials.
Chrome also comes with a great PDF viewer.
If you don't want to use Chrome, Firefox is an excellent browser as well. Or simply use both. See discussion in issues #2,#90.
If using Firefox, see TheCreeper/PrivacyFox for recommended privacy preferences. Also be sure to check out NoScript for Mozilla-based browsers, which allows whitelist-based, pre-emptive script blocking.
Create at least three profiles, one for browsing trusted web sites (email, banking), another for untrusted (link aggregators, news sites), and a third for a completely cookie-less and script-less experience.
  • One profile without cookies or Javascript enabled (e.g., turned off in chrome://settings/content) which should be the preferred profile to visiting untrusted web sites. However, many pages will not load at all without Javascript enabled.
  • One profile with uMatrix (or uBlock, a simpler version). Use this profile for visiting mostly trusted web sites. Take time to learn how these firewall extensions work. Other frequently recommended extensions are Privacy Badger,HTTPSEverywhere and CertPatrol (Firefox only).
  • One (or more) profile(s) for your "real name", signed-in browsing needs such as banking and email (however, don't open email links from this profile).
The idea is to separate and compartmentalize your data, so that an exploit or privacy violation in one session does not necessarily affect data in another.
In each profile, visit chrome://plugins/ and disable Adobe Flash Player. If you must use Flash, visitchrome://settings/contents to enable Let me choose when to run plugin content, under the Plugins section (also known as click-to-play).
Take some time to read through Chromium Security and Chromium Privacy.
For example you may wish to disable DNS prefetching (see also DNS Prefetching and Its Privacy Implications [pdf]).
Also be aware of WebRTC, which may reveal your local or public (if connected to VPN) IP address(es). This can be disabled with extensions such as uBlock Origin and rentamob/WebRTC-Leak-Prevent.
Many Chromium-derived browsers are not recommended. They are usually closed sourcepoorly maintainedhave bugs, and make dubious claims to protect privacy. See The Private Life of Chromium Browsers.
Safari is not recommended. The code is a mess and security vulnerabilities are frequent, and slower to patch (seediscussion on Hacker News). Security does not appear to be a priority for Safari. If you do use it, at least disable the Open "safe" files after downloading option in Preferences, and be aware of other privacy nuances.
Other miscellaneous browsers, such as Brave, are not evaluated in this guide, so are neither recommened nor actively discouraged from use.
For more information about security conscious browsing, see HowTo: Privacy & Security Conscious Browsing,browserleaks.com and EFF Panopticlick.

Plugins

Adobe FlashOracle JavaAdobe ReaderMicrosoft Silverlight (Netflix now works with HTML5) and other plugins aresecurity risks and should not be installed.
If they are necessary, only use them in a disposable virtual machine and subscribe to security announcements to make sure you're always patched.

PGP/GPG

PGP is a standard for encrypting email end to end. That means only the chosen recipients can decrypt a message, unlike regular email which is read and forever archived by providers.
GPG, or GNU Privacy Guard, is a GPL licensed program compliant with the standard.
GPG is used to verify signatures of software you download and install, as well as symmetrically or asymmetrically encrypt files and text.
Install with brew install gnupg, or if you prefer to install a newer, more feature-rich stable version, use brew install homebrew/versions/gnupg21
If you prefer a GUI, check out GPG Suite.
Here are several recommended options to add to ~/.gnupg/gpg.conf:
auto-key-locate keyserver
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options no-honor-keyserver-url
keyserver-options ca-cert-file=/etc/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url
keyserver-options debug
keyserver-options verbose
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
cert-digest-algo SHA512
s2k-digest-algo SHA512
charset utf-8
fixed-list-mode
no-comments
no-emit-version
keyid-format 0xlong
list-options show-uid-validity
verify-options show-uid-validity
with-fingerprint
Install the keyservers CA certificate:
$ curl -O https://sks-keyservers.net/sks-keyservers.netCA.pem
$ sudo mv sks-keyservers.netCA.pem /etc
These settings will configure GnuPG to use SSL when fetching new keys and prefer strong cryptographic primitives.
See also ioerror/duraconf/configs/gnupg/gpg.conf. You should also take some time to read OpenPGP Best Practices.
If you don't already have a keypair, create one using gpg --gen-key. Also see drduh/YubiKey-Guide.
Read online guides and practice encrypting and decrypting email to yourself and your friends. Get them interested in this stuff!

OTR

OTR stands for off-the-record and is a cryptographic protocol for encrypting and authenticating conversations over instant messaging.
You can use OTR on top of any existing XMPP chat service, even Google Hangouts (which only encrypts conversations between users and the server).
The first time you start a conversation with someone new, you'll be asked to verify their public key fingerprint. Make sure to do this in person or by some other secure means (e.g. GPG encrypted mail).
A popular OS X GUI client for XMPP and other chat protocols is Adium
Consider downloading the beta version which uses OAuth2, making logging in to Google Talk/Hangouts more secure.
Adium_1.5.11b3.dmg

SHA-256: 999e1931a52dc327b3a6e8492ffa9df724a837c88ad9637a501be2e3b6710078
SHA-1:   ca804389412f9aeb7971ade6812f33ac739140e6
Remember to disable logging for OTR chats with Adium.
A good console-based XMPP client is profanity which can be installed with brew install profanity
For improved anonymity, check out Tor Messenger, although it is still in beta, as well as Ricochet (which has recently received a thorough security audit [pdf]), which both use the Tor network rather than relying on messaging servers.
If you want to know how OTR works, read the paper Off-the-Record Communication, or, Why Not To Use PGP [pdf]

Tor

Tor is an anonymizing proxy which can be used for browsing the web.
Do not attempt to configure other browsers to use Tor as you are likely make a mistake which will compromise your anonymity.
After downloading the dmg and asc files, verify the disk image has been signed by Tor developers with gpg TorBrowser*asc
You may see a warning - the public key was not found. Fetch it from the keyserver with gpg --recv-keys 0x2E1AC68ED40814E0 and verify again.
Make sure Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>" appears in the output. You may see a benign warning if the key has not been manually assigned trust.
Example of valid signature output
Example of valid signature output
See How to verify signatures for packages for more information.
Tor traffic is encrypted to the exit node (i.e., cannot be read by a passive network eavesdropper), but can be identified.
Just one example way is by monitoring TLS handshakes:
$ sudo tcpdump -Ani en0 "tcp" | grep "www"
.............&.$..!www.ht50d2u6ky6y7kbcxhe5mjfdi.com.........
.~7...~.|.Lp*e.....L._..........ug.......[.net0.brU.....fP...a&..'.]...r.....E*F....{...qjJ}....).$8....    ....V.E..0
...................www.s4ku5skci.net.........
l..5...R[i.0...A.$...l..Ly.....}..ZY..../.........LH.0..\...3.?.........*.N... ..._/G\...0*..?...`d.........0   ...X..&.N0
^C
See Tor Protocol Specification and Tor/TLSHistory for more information.
You may wish to additionally obfuscate Tor traffic using a pluggable transport, such as Yawning/obfs4proxy or SRI-CSL/stegotorus.
This can be done by setting up your own Tor relay or finding an existing private or public bridge to serve as an obfuscating entry node.
For extra security, use Tor inside a VirtualBox or VMware virtualized GNU/Linux or BSD machine.
Finally, remember the Tor network provides anonymity, which is not necessarily synonymous with privacy. The Tor network does not guarantee protection against a global observer capable of traffic analysis and correlation. See also Seeking Anonymity in an Internet Panopticon [pdf] and Traffic Correlation on Tor by Realistic Adversaries [pdf].

VPN

If you use your Mac on untrusted networks - airports, cafes, etc. - your network traffic is being monitored and possibly tampered with.
It is a good idea to use a VPN which encrypts all outgoing network traffic (i.e., not split tunnel) with a provider you trust. Ideally, that provider is a server in your house or a trustworthy "cloud".
Don't just blindly sign up for a VPN service without understanding the full implications and how your traffic will be routed. If you don't understand how the VPN works or are not familiar with the software used, you are probably better off without it.
When choosing a VPN service or setting up your own, be sure to research the protocols, key exchange algorithms, authentication mechanisms, and type of encryption being used. Some protocols, such as PPTP, should be avoided in favor of OpenVPN, for example.
Some clients may send traffic over the next available interface when VPN is interrupted or disconnected. See scy/8122924for an example on how to allow traffic only over VPN.

Viruses and malware

There is an ever-increasing amount of Mac malware in the wild. Macs aren't immune from viruses and malicious software!
Some malware comes bundled with both legitimate software, such as the Java bundling Ask Toolbar, and some with illegitimate software, such as Mac.BackDoor.iWorm bundled with pirated programs.
See Methods of malware persistence on Mac OS X [pdf] and Malware Persistence on OS X Yosemite to learn about how garden-variety malware functions.
You could periodically run a tool like Knock Knock to examine persistent applications (e.g. scripts, binaries). But by then, it is probably too late. Maybe applications such as Block Block and Ostiarius will help. See warnings and caveats in issue #90first, however.
Anti-virus programs are a double-edged sword -- not useful for advanced users and will likely increase attack surface against sophisticated threats, however possibly useful for catching "garden variety" malware on novice users' Macs. There is also the additional processing overhead to consider.
Therefore, the best anti-virus is Common Sense 2016. See more discussion in issue #44.
Local privilege escalation bugs are plenty on OS X, so always be careful when downloading and running untrusted programs or trusted programs from third party websites or downloaded over HTTP (example).
Have a look at The Safe Mac for past and current Mac security news.
Also check out Hacking Team malware for Mac OS: root installation for MacOSSupport driver for Mac Agent and RCS Agent for Mac, which is a good example of advanced malware with capabilities to hide from userland (e.g., psls), for example. For more, see A Brief Analysis of an RCS Implant Installer and reverse.put.as

System Integrity Protection

System Integrity Protection (SIP) is a new security feature of OS X 10.11. It is enabled by default, but can be disabled, which may be necessary to change some system settings, such as deleting root certificate authorities or unloading certain launch daemons.
A new security policy that applies to every running process, including privileged code and code that runs out of the sandbox. The policy extends additional protections to components on disk and at run-time, only allowing system binaries to be modified by the system installer and software updates. Code injection and runtime attachments to system binaries are no longer permitted.

Gatekeeper and XProtect

Gatekeeper and the quarantine system try to prevent unsigned or "bad" programs and files from running and opening.
XProtect prevents the execution of known bad files and outdated plugin versions, but does nothing to cleanup or stop existing malware.
Both offer trivial protection against common risks and are fine at default settings.
Note Quarantine stores information about downloaded files in~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2, which may pose a privacy risk. To examine the file, simply use strings or the following command:
$ echo 'SELECT datetime(LSQuarantineTimeStamp + 978307200, "unixepoch") as LSQuarantineTimeStamp, LSQuarantineAgentName, LSQuarantineOriginURLString, LSQuarantineDataURLString from LSQuarantineEvent;' | sqlite3 /Users/$USER/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
See here for more information.
To permanently disable this feature, clear the file and make it immutable:
$ :>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
$ sudo chflags schg ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
Furthermore, OS X attaches metadata (HFS+ extended attributes) to downloaded files:
$ ls -l@ adobe_flashplayer_setup.dmg
-rw-r-----@ 1 drduh  staff  1000000 Sep  1 12:00 adobe_flashplayer_setup.dmg
com.apple.diskimages.fsck        20
com.apple.diskimages.recentcksum         79
com.apple.metadata:kMDItemWhereFroms       2737
com.apple.quarantine         68
To view or remove metadata, use xattr:
$ xattr -l com.apple.metadata:kMDItemWhereFroms adobe_flashplayer_setup.dmg

Passwords

You can generate strong passwords with OpenSSL:
$ openssl rand -base64 30
LK9xkjUEAemc1gV2Ux5xqku+PDmMmCbSTmwfiMRI
Or GPG:
$ gpg --gen-random -a 0 30
4/bGZL+yUEe8fOqQhF5V01HpGwFSpUPwFcU3aOWQ
Or /dev/urandom output:
$ dd if=/dev/urandom bs=1 count=30 2>/dev/null | base64
CbRGKASFI4eTa96NMrgyamj8dLZdFYBaqtWUSxKe
With control over character sets:
$ LANG=C tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 40 | head -n 1
jm0iKn7ngQST8I0mMMCbbi6SKPcoUWwCb5lWEjxK

$ LANG=C tr -dc 'DrDuh0-9' < /dev/urandom | fold -w 40 | head -n 1
686672u2Dh7r754209uD312hhh23uD7u41h3875D
You can also generate passwords, even memorable ones, using Keychain Access password assistant, or a command line equivalent like anders/pwgen.
Keychains are encrypted with a PBKDF2 derived key and are a pretty safe place to store credentials. See also Breaking into the OS X keychain. Also be aware that Keychain does not encrypt the names corresponding to password entries.
Alternatively, you can manage an encrypted passwords file yourself with gpg (shameless plug for my drduh/pwd.shpassword manager script).
In addition to passwords, ensure eligible online accounts, such as Github, Google accounts, banking, have two factor authentication enabled.
Look to Yubikey for a two factor and private key (e.g., ssh, gpg) hardware token. See drduh/YubiKey-Guide andtrmm.net/Yubikey. One of two Yubikey's slots can also be programmed to emit a long, static password (which can be used in combination with a short, memorized password, for example).

Backup

Always encrypt files locally before backing them up to external media or online services.
One way is to use a symmetric cipher with GPG and a password of your choosing.
To encrypt a directory:
$ tar zcvf - ~/Downloads | gpg -c > ~/Desktop/backup-$(date +%F-%H%M).tar.gz.gpg
To decrypt an archive:
$ gpg -o ~/Desktop/decrypted-backup.tar.gz \
  -d ~/Desktop/backup-2015-01-01-0000.tar.gz.gpg && \
  tar zxvf ~/Desktop/decrypted-backup.tar.gz
You may also create encrypted volumes using Disk Utility or hdiutil:
$ hdiutil create ~/Desktop/encrypted.dmg -encryption -size 1g -volname "Name" -fs JHFS+
Also see the following applications and services: SpiderOakArqEspionage, and restic.

Wi-Fi

OS X remembers access points it has connected to. Like all wireless devices, the Mac will broadcast all access point names it remembers (e.g., MyHomeNetwork) each time it looks for a network, such as when waking from sleep.
This is a privacy risk, so remove networks from the list in System Preferences > Network > Advanced when they're no longer needed.
Saved Wi-Fi information (SSID, last connection, etc.) can be found in/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
You may wish to spoof the MAC address of your network card before connecting to new and untrusted wireless networks to mitigate passive fingerprinting:
$ sudo ifconfig en0 ether $(openssl rand -hex 6 | sed 's%\(..\)%\1:%g; s%.$%%')
Note MAC addresses will reset to their hardware defaults on each boot.
Also see feross/SpoofMAC.
Finally, WEP protection on wireless networks is not secure and you should favor connecting to WPA2 protected networks only to mitigate the risk of passive eavesdroppers.

SSH

For outgoing ssh connections, use hardware- or password-protected ssh keys, set up remote hosts and consider hashingthem.
Here are several recommended options to add to ~/.ssh/ssh_config:
Host *
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  HashKnownHosts yes
  UseRoaming no
UseRoaming is an undocumented option in OpenSSH that is enabled by default and is vulnerable in OpenSSH versions 5.4 through 7.1. The vulnerabilities are detailed in CVE-2016-0777 and CVE-2016-0778.
You can also use ssh to create an encrypted tunnel to send your traffic through, which is similar to a VPN.
For example, to use Privoxy on a remote host:
$ ssh -C -L 5555:127.0.0.1:8118 you@remote-host.tld
$ sudo networksetup -setwebproxy "Wi-Fi" 127.0.0.1 5555
$ sudo networksetup -setsecurewebproxy "Wi-Fi" 127.0.0.1 5555
Or to use an ssh connection as a SOCKS proxy:
$ ssh -NCD 3000 you@remote-host.tld
By default, OS X does not have sshd or Remote Login enabled.
To enable sshd and allow incoming ssh connections:
$ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist
Or use the System Preferences > Sharing menu.
If you are going to enable sshd, at least disable password authentication and consider further hardening your configuration.
To /etc/sshd_config, add:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
Confirm whether sshd is enabled or disabled:
$ sudo lsof -ni TCP:22

Physical access

Keep your Mac physically secure at all times. Don't leave it unattended in hotels and such.
For example, a skilled attacker with unsupervised physical access to your computer can infect the boot ROM to install a keylogger and steal your password - see Thunderstrike, for example.
A helpful tool is usbkill, which is "an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer".
Consider purchasing a privacy filter for your screen to thwart shoulder surfers.

System monitoring

OpenBSM audit

OS X has a powerful OpenBSM auditing capability. You can use it to monitor process execution, network activity, and much more.
To tail audit logs, use the praudit utility:
$ sudo praudit -l /dev/auditpipe
header,201,11,execve(2),0,Thu Sep  1 12:00:00 2015, + 195 msec,exec arg,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,path,/Applications/.evilapp/rootkit,attribute,100755,root,wheel,16777220,986535,0,subject,drduh,root,wheel,root,wheel,412,100005,50511731,0.0.0.0,return,success,0,trailer,201,
header,88,11,connect(2),0,Thu Sep  1 12:00:00 2015, + 238 msec,argument,1,0x5,fd,socket-inet,2,443,173.194.74.104,subject,drduh,root,wheel,root,wheel,326,100005,50331650,0.0.0.0,return,failure : Operation now in progress,4354967105,trailer,88
header,111,11,OpenSSH login,0,Thu Sep  1 12:00:00 2015, + 16 msec,subject_ex,drduh,drduh,staff,drduh,staff,404,404,49271,::1,text,successful login drduh,return,success,0,trailer,111,
See the manual pages for auditprauditaudit_control and other files in /etc/security
Note although man audit says the -s flag will synchronize the audit configuration, it appears necessary to reboot for changes to take effect.
See articles on ilostmynotes.blogspot.com and derflounder.wordpress.com for more information.

DTrace

iosnoop monitors disk I/O
opensnoop monitors file opens
execsnoop monitors execution of processes
errinfo monitors failed system calls
dtruss monitors all system calls
See man -k dtrace for more information.
Note System Integrity Protection may interfere with DTrace.

Execution

ps -ef lists information about all running processes.
You can also view processes with Activity Monitor.
launchctl list and sudo launchctl list lists loaded and running user and system launch daemons and agents.

Network

List open network files:
$ sudo lsof -ni -P
List contents of various network-related data structures:
$ sudo netstat -atln
You can also use Wireshark from the command line.
Monitor DNS queries and replies:
$ tshark -Y "dns.flags.response == 1" -Tfields \
  -e frame.time_delta \
  -e dns.qry.name \
  -e dns.a \
  -Eseparator=,
Monitor HTTP requests and responses:
$ tshark -Y "http.request or http.response" -Tfields \
  -e ip.dst \
  -e http.request.full_uri \
  -e http.request.method \
  -e http.response.code \
  -e http.response.phrase \
  -Eseparator=/s
Monitor x509 certificates on the wire:
$ tshark -Y "ssl.handshake.certificate" -Tfields \
  -e ip.src \
  -e x509sat.uTF8String \
  -e x509sat.printableString \
  -e x509sat.universalString \
  -e x509sat.IA5String \
  -e x509sat.teletexString \
  -Eseparator=/s -Equote=d
Also check out the GUI "simple network activity monitor" BonzaiThePenguin/Loading

Miscellaneous

If you wish, disable Diagnostics & Usage Data.
Consider creating a second, non-administrator account for web browsing and general use which doesn't require elevated privileges. See issue #9.
If you want to play music or watch videos, use VLC media player which is free and open source.
If you want to torrent, use Transmission which is free and open source (note: like all software, even open source projects,malware may still find its way in). You may also wish to use a block list to avoid peering with known bad hosts - see Which is the best blocklist for Transmission and johntyree/3331662.
Manage default file handlers with duti, which can be installed with brew install duti. One reason to manage extensions is to prevent auto-mounting of remote filesystems in Finder (see Protecting Yourself From Sparklegate).
Watch the system log with /Applications/Utilities/Console.app or the syslog command.
Enable tty_tickets in the sudoers file.
Set your screen to lock as soon as the screensaver starts:
$ defaults write com.apple.screensaver askForPassword -int 1
$ defaults write com.apple.screensaver askForPasswordDelay -int 0
Expose hidden files and Library folder in Finder:
$ defaults write com.apple.finder AppleShowAllFiles -bool true
$ chflags nohidden ~/Library
Don't default to saving documents to iCloud:
$ defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
Enable Secure Keyboard Entry in Terminal (unless you use YubiKey or applications such as TextExpander).
Disable crash reporter (the dialog which appears after an application crashes and prompts to report the problem to Apple):
$ defaults write com.apple.CrashReporter DialogType none
Disable Bonjour multicast advertisements:
$ sudo defaults write /Library/Preferences/com.apple.mDNSResponder.plist NoMulticastAdvertisements -bool YES
Disable Handoff and Bluetooth features, if they aren't necessary.
Consider sandboxing your applications. See fG! Sandbox Guide [pdf] and s7ephen/OSX-Sandbox--Seatbelt--Profiles.
Did you know Apple has not shipped a computer with TPM since 2006?

Related software

Santa - A binary whitelisting/blacklisting system for Mac OS X.
SummitRoute/osxlockdown - audit and remediate security configuration settings on OS X 10.11 (El Capitan).
Lockdown - tool for El Capitan that audits and remediates security configuration settings.
Dylib Hijack Scanner - scan for applications that are either susceptible to dylib hijacking or have been hijacked.
facebook/osquery - can be used to retrieve low level system information. Users can write SQL queries to retrieve system information.
google/grr - incident response framework focused on remote live forensics.
yelp/osxcollector - forensic evidence collection & analysis toolkit for OS X.
jipegit/OSXAuditor - analyzes artifacts on a running system, such as quarantined files, Safari, Chrome and Firefox history, downloads, HTML5 databases and localstore, social media and email accounts, and Wi-Fi access point names.
libyal/libfvde - library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
CISOfy/lynis - cross-platform security auditing tool and assists with compliance testing and system hardening.

Additional resources

In no particular order

from  https://github.com/drduh/OS-X-Security-and-Privacy-Guide