PL-240 Add harden-host.sh script

[burakberkkeskin]

Summary by CodeRabbit

Release Notes

• New Features
  • Introduced macOS host hardening script with audit-only and dry-run modes for safe evaluation
  • Enables application firewall with stealth mode and app-signing restrictions
  • Hardens authentication by disabling guest accounts and password hints
  • Disables unnecessary sharing services while preserving Screen Sharing capability
  • Optimizes power management and privacy/analytics settings

[coderabbitai]

Warning

Review limit reached

@burakberkkeskin, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 48 minutes and 37 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5d0f54af-cf26-4e71-bfa6-41c0c21f4dc5

📥 Commits

Reviewing files that changed from the base of the PR and between 99e7416 and 4a08e1b.

📒 Files selected for processing (1)

• harden-host.sh

📝 Walkthrough

Walkthrough

A new harden-host.sh bash script is added for auditing and applying a macOS host hardening subset. It supports --dry-run, --audit-only, and --disable-ssh flags, enforces root execution, and applies settings across firewall, sharing services, authentication/login window, power management, privacy/analytics, and software update policy.

Changes

macOS Host Hardening Script

Layer / File(s)	Summary
CLI flags, root enforcement, and execution helpers harden-host.sh	Implements usage/help output, --dry-run, --audit-only, and --disable-ssh argument parsing, root-only enforcement, and a run() wrapper that gates side effects based on mode flags.
Posture verification – Section A harden-host.sh	Checks and reports SIP, FileVault, and Gatekeeper status with warnings; optionally prints Secure Boot policy; exits early when --audit-only is set.
Firewall and sharing hardening – Sections B and C harden-host.sh	Section B enables the application firewall (global state, stealth mode, signed app settings). Section C disables Remote Management, SMB/AFP, printer sharing, remote Apple events, Internet Sharing, and Bluetooth while leaving Screen Sharing enabled; conditionally disables SSH.
Account, power, privacy, and update hardening – Sections D–G harden-host.sh	Section D hardens guest account, login window display, password hints, and screensaver password. Section E disables Power Nap and wake-for-network. Section F disables diagnostic/crash reporter submission. Section G keeps security and XProtect update flags enabled. Completion output references MDM enrollment.

Poem

🐇 A rabbit hopped in, script in paw,
Firewalls raised without a flaw.
Guest accounts locked, Bluetooth down,
Stealth mode on across the town.
--dry-run first, then make it real —
No host too hard to safely seal! 🔒

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'PL-240 Add harden-host.sh script' directly and clearly summarizes the main change: introducing a new hardening script for macOS hosts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-harden-host-script

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch add-harden-host-script

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

harden-host.sh (3)

54-60: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

eval "$@" (SC2294) is acceptable here, but a brief note helps.

Shellcheck flags eval negating array benefits, but it's effectively a false positive: run is always invoked with a single command string that intentionally contains redirections and || fallbacks, which require eval (or bash -c). Since the argument is always one string, prefer eval "$*" to make the intent explicit and silence the warning.

♻️ Optional tweak

   else
-    eval "$@"
+    eval "$*"
   fi

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@harden-host.sh` around lines 54 - 60, The run function currently uses eval
"$@" which triggers a shellcheck SC2294 warning. Since the run function is
always invoked with a single command string that intentionally contains
redirections and logical operators (which require eval to process), change the
eval "$@" call to eval "$*" to make the intent explicit and silence the
shellcheck warning while maintaining the same functionality.

Source: Linters/SAST tools

---

107-110: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Inconsistent error handling can abort hardening midway.

Under set -e, these firewall commands (and several unguarded defaults write calls in Sections D–G) have no || true, unlike most other steps. A single non-zero exit (e.g., socketfilterfw returning an error) will terminate the script and skip all remaining sections, leaving the host partially hardened with no summary of what failed. Consider either making the script best-effort consistently (|| true / collect failures) or intentionally fail-fast everywhere.

♻️ Example: guard firewall calls consistently

-run "$FW --setglobalstate on"
-run "$FW --setstealthmode on"
-run "$FW --setallowsigned on"
-run "$FW --setallowsignedapp on"
+run "$FW --setglobalstate on 2>/dev/null || warn 'failed to set firewall global state'"
+run "$FW --setstealthmode on 2>/dev/null || warn 'failed to set stealth mode'"
+run "$FW --setallowsigned on 2>/dev/null || true"
+run "$FW --setallowsignedapp on 2>/dev/null || true"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@harden-host.sh` around lines 107 - 110, The firewall configuration commands
(using the $FW variable) and unguarded defaults write calls in Sections D–G lack
consistent error handling under set -e, which causes the script to abort midway
on any non-zero exit and skip remaining hardening sections. Add error handling
(either || true for best-effort execution or collect errors for reporting) to
the firewall commands around lines 107-110 (run "$FW --setglobalstate on", run
"$FW --setstealthmode on", run "$FW --setallowsigned on", and run "$FW
--setallowsignedapp on") and the unguarded defaults write calls throughout
Sections D–G to match the error-handling pattern used elsewhere in the script,
ensuring partial hardening doesn't occur silently.

---

41-41: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

--help prints the shebang and every comment line, not just usage.

grep '^#' "$0" matches the shebang (#!/usr/bin/env bash → rendered as !/usr/bin/env bash) and the # ---- section dividers, producing noisy help output. Consider scoping to the header block (e.g., stop at the first non-comment line) or printing a dedicated usage function.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@harden-host.sh` at line 41, The `--help` option handler uses `grep '^#' "$0"`
which matches all lines starting with `#`, including the shebang and section
dividers like `# ----`, producing noisy output. To fix this, modify the help
option case in the `-h|--help` pattern to either scope the grep output to only
the header comment block (stopping at the first non-comment line after the
shebang), or replace it with a dedicated usage function that prints only the
intended help documentation without section dividers and metadata comments.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@harden-host.sh`:
- Around line 154-155: The screensaver password settings commands using
`defaults -currentHost write com.apple.screensaver askForPassword` and `defaults
-currentHost write com.apple.screensaver askForPasswordDelay` are running under
sudo, which targets root's preferences instead of the actual logged-in user's
preferences and won't take effect on modern macOS. Remove or comment out these
two lines and instead implement these screensaver security settings through MDM
or configuration profiles, which is the authoritative method for enforcing such
security-sensitive settings on modern macOS systems as noted in the script
header.

---

Nitpick comments:
In `@harden-host.sh`:
- Around line 54-60: The run function currently uses eval "$@" which triggers a
shellcheck SC2294 warning. Since the run function is always invoked with a
single command string that intentionally contains redirections and logical
operators (which require eval to process), change the eval "$@" call to eval
"$*" to make the intent explicit and silence the shellcheck warning while
maintaining the same functionality.
- Around line 107-110: The firewall configuration commands (using the $FW
variable) and unguarded defaults write calls in Sections D–G lack consistent
error handling under set -e, which causes the script to abort midway on any
non-zero exit and skip remaining hardening sections. Add error handling (either
|| true for best-effort execution or collect errors for reporting) to the
firewall commands around lines 107-110 (run "$FW --setglobalstate on", run "$FW
--setstealthmode on", run "$FW --setallowsigned on", and run "$FW
--setallowsignedapp on") and the unguarded defaults write calls throughout
Sections D–G to match the error-handling pattern used elsewhere in the script,
ensuring partial hardening doesn't occur silently.
- Line 41: The `--help` option handler uses `grep '^#' "$0"` which matches all
lines starting with `#`, including the shebang and section dividers like `#
----`, producing noisy output. To fix this, modify the help option case in the
`-h|--help` pattern to either scope the grep output to only the header comment
block (stopping at the first non-comment line after the shebang), or replace it
with a dedicated usage function that prints only the intended help documentation
without section dividers and metadata comments.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eaf9c963-1223-4dd0-bf4c-8adae75acf9e

📥 Commits

Reviewing files that changed from the base of the PR and between 8418569 and 99e7416.

📒 Files selected for processing (1)

• harden-host.sh