mac-security is an open-source toolkit for auditing and hardening macOS workstations. One command gives you a full security report. Another locks down your SSH, firewall, and sharing services to a defensible baseline.
brew tap davidwhittington/mac-security brew install davidwhittington/mac-security/mac-security
Run mac-security-audit and get a structured Markdown report covering every major security control on your machine.
Confirms disk encryption is on. Flags unencrypted machines as critical.
System Integrity Protection and app signing enforcement status.
Firewall state, stealth mode, and block-all setting.
Reads sshd_config.d drop-ins. Reports password auth, root login, key auth.
Remote Login, ARD, Screen Sharing, File Sharing, Internet Sharing.
All TCP listeners. Spot unexpected services before attackers do.
Local users and admin group membership.
Auto-check, auto-download, and security data install policy.
Three tools ship with the Homebrew formula.
private/workstations/ for audit history tracking
From zero to a hardened baseline in under five minutes.
# 1. Install the tools brew tap davidwhittington/mac-security brew install davidwhittington/mac-security/mac-security # 2. Run your first audit mac-security-audit --brief # 3. Review the Findings Summary at the bottom of the report # Each finding includes a severity and a recommended fix. # 4. Harden SSH (see the SSH guide for the full walkthrough) printf '%s\n' \ 'PasswordAuthentication no' \ 'PermitRootLogin no' \ 'PubkeyAuthentication yes' \ 'MaxAuthTries 3' \ | sudo tee /etc/ssh/sshd_config.d/099-hardening.conf # 5. Re-run the audit to confirm findings are resolved mac-security-audit --brief
Step-by-step documentation for every part of the hardening process.
Key generation, authorized_keys setup, sshd hardening, multi-machine deployment.
When block-all breaks SSH, and how pf gives you both.
Per-client key strategy, ~/.ssh/config host blocks, key rotation across a lab.
launchd-scheduled audits that diff against the last report and alert on change.
Disable ARD, Screen Sharing, File Sharing, Internet Sharing, AirDrop step by step.
Audit reports, machine profiles, and network diagrams contain sensitive data that shouldn't live in a public repo. mac-security uses a git submodule pattern to keep the tooling public and the data private:
# Public repo — scripts, guides, config templates mac-security/ scripts/audit/security-audit.sh docs/guides/ config/launchagents/ config/launchdaemons/ # Private submodule — per-machine data (separate private repo) mac-security/private/ workstations/macbook-pro-2026-03-08.md machines/macbook-pro/Brewfile
Clone the repo, initialize the private submodule pointing at your own private repo, and your audit history stays yours.