Create A Configuration File for MacOS to Run at Startup

Turn off unwanted services to reduce attack vectors

One of my posts on OS and IoT Security, Network Security, and Apple Mac Security

Free Content on Jobs in Cybersecurity | Sign up for the Email List

In a prior post I wrote about how to turn off IPv6 on a Mac.

Disabling IPv6 on a Mac

Reducing the attack service by disallowing network access via IPv6

medium.com

But how do you make that change permanent? What if you want to disable or enable other services? I am not sure why MacOS makes this so difficult. It seems overly complicated to figure out how to do this. Maybe I’m just not looking in the right places but here’s how you can do it.

First of all, you need to create a script and store it somewhere that only you can run it if you only want your profile to run it when the machine loads or in a share file if you want anyone to be able to run it. I want the latter so I put the file in a shared folder. I set the permissions accordingly.

Now you may think that you can add this script to your login items in preferences if you are familiar with that, but no. You will get errors on startup saying you don’t have permission to run the script. Now, I’ve created a little app and run that at start up but that seems so complicated for what I am trying to run.

After you create the script you have to create a plist in the /Library/LaunchDaemons/ folder.

By the way, while you are in that folder and other startup folders, look for anything suspicious that should not be running at startup. Don’t delete the items but move them in case they really are required and you need to restore them. Be careful so you don’t remove required items that make your machine malfunction.

Here are the steps to take to create a configuration script that runs at startup if you want to do what I did.

Create this file at the following path.

/Users/Shared/2sl-startup-config.sh

2. Run this command so anyone can run the file:

sudo chmod 755 2sl-startup-config.sh

3. Edit the script to do what it needs to do. For exmaple:

Disable ipv6 (note that you’ll need to run the commands in my prior post to figure out exactly what devices to use in the commands below):

networksetup -setv6off "USB-C LAN"
networksetup -setv6off "Wi-Fi"
networksetup -setv6off "Thunderbolt Bridge"

Disable SMB

/usr/bin/sudo /bin/launchctl disable system/com.apple.smbd

AOSX-13-000139 - The macOS system must be configured to disabl...

Audit item details for AOSX-13-000139 - The macOS system must be configured to disable SMB File Sharing unless it is…

www.tenable.com

Disable netbios

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.netbiosd

Create this file (you will need to use sudo)

/Library/LaunchDaemons/com.2ndSightLab.config.plist

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
 <key>Label</key>
 <string>com.2ndSightLab.config</string>
 <key>LaunchOnlyOnce</key>
 <true/>
 <key>ProgramArguments</key>
 <array>
  <string>/Users/Shared/2sl-startup-config.sh</string>
 </array>
 <key>RunAtLoad</key>
 <true/>
</dict>
</plist>

Restart.

To see what’s running you can look at activity monitor.

You can also run the top command in a command line window.

You can also run the top command in a terminal window.

Crtl-C to exit.

Run this command to see what runs at startup:

sudo launchctl list

What is all this stuff and can you disable any of it to improve system performance, security, and reduce noise on your network?

Apple Macintosh Network Traffic

Noise on your network makes it more challenging to find what matters.

medium.com

Not sure but wish Apple would make it easier and would like to find out if I ever have time to look into this in more detail.

For now I’ve disabled some of the most egregious protocols that are involved in data breaches and misconfigurations.

Follow for updates.

The best way to support this blog is to sign up for the email list and clap for stories you like. If you are interested in IANS Decision Support services so you can schedule security consulting calls with myself and other IANS faculty, please reach out on LinkedIn via the link below. Thank you!

Get an email whenever Teri Radichel publishes.

Get an email whenever Teri Radichel publishes. By signing up, you will create a Medium account if you don’t already…

2ndsightlab.medium.com

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
Author: Cybersecurity for Executives in the Age of Cloud
Presentations: Presentations by Teri Radichel
Recognition: SANS Difference Makers Award, AWS Security Hero, IANS Faculty
Certifications: SANS
Education: BA Business, Master of Software Engineering, Master of Infosec
Company: Cloud Penetration Tests, Assessments, Training ~ 2nd Sight Lab

Like this story? Use the options below to help me write more!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Clap
❤️ Referrals
❤️ Medium: Teri Radichel
❤️ Email List: Teri Radichel
❤️ Twitter: @teriradichel
❤️ Mastodon: @[email protected]
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
❤️ Buy a Book: Teri Radichel on Amazon
❤️ Request a penetration test, assessment, or training
 via LinkedIn: Teri Radichel 
❤️ Schedule a consulting call with me through IANS Research

My Cybersecurity Book: Cybersecurity for Executives in the Age of Cloud

Summarize