╔══════════════════════════════════════════════════════════════════════╗
║ ║
║ ███╗ ███╗ █████╗ ██████╗ ███████╗██╗ ██╗██╗███████╗██╗ ██████╗ ║
║ ████╗ ████║██╔══██╗██╔════╝ ██╔════╝██║ ██║██║██╔════╝██║ ██╔══██╗ ║
║ ██╔████╔██║███████║██║ ███████╗███████║██║█████╗ ██║ ██║ ██║ ║
║ ██║╚██╔╝██║██╔══██║██║ ╚════██║██╔══██║██║██╔══╝ ██║ ██║ ██║ ║
║ ██║ ╚═╝ ██║██║ ██║╚██████╗ ███████║██║ ██║██║███████╗██████╗ ██████╔╝ ║
║ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝╚══════╝╚═════╝╚═════╝ ║
║ ║
║ [ by qinnovate // github.com/qinnovates ] ║
║ ║
║ >> macos security analyzer & best practices report << ║
║ >> read-only | zero attack surface | swift + bash << ║
║ ║
╚══════════════════════════════════════════════════════════════════════╝
Current version: 1.0.0
Caution
Use at your own risk. macshield is a security analysis tool, not a security solution. It does not protect you. It does not modify your system. It reports what it finds, and what it finds may be incomplete, incorrect, or outdated. You are solely responsible for any actions you take based on its output. Always verify findings independently before making security decisions.
Beware the McNamara Fallacy (also called the quantitative fallacy): measuring what is easy to measure, ignoring what is not, and assuming what cannot be measured does not matter. A "Score: 95, Grade: A" does not mean your Mac is secure. It means the checks macshield ran did not find issues. There are entire attack classes macshield cannot detect: zero-days, firmware implants, supply chain compromises, social engineering, memory corruption, kernel exploits, and more. A green report can create a false sense of security that is more dangerous than no report at all, because it discourages further investigation.
Qinnovates is not liable for any consequences arising from the use of this tool.
Read-only macOS security posture analyzer built in Swift. Checks system configuration, scans ports, lists persistence items, audits app permissions. No system modifications. No background processes. No sudo. Zero attack surface.
macshield reads your Mac's security configuration and reports what it finds. It checks ~50 settings across 6 categories: system protection, firewall/network, sharing services, persistence integrity, privacy/permissions, and file hygiene. It produces a weighted risk score (0-100) with a confidence metric that degrades when checks cannot run.
- Does not protect you. It is a read-only analyzer, not a firewall, antivirus, or endpoint agent.
- Does not detect malware. It checks configuration, not running processes or file signatures.
- Does not detect zero-days, APTs, firmware implants, or supply chain attacks.
- Does not guarantee accuracy. It parses CLI tool output, which can change between macOS versions.
- Does not replace enterprise security. If you work in an enterprise, institution, or clinical setting, use your organization's managed devices and security stack. macshield is not a substitute.
- Does not make your Mac secure. Only you can do that.
macshield v1.0 is a complete rewrite from Bash to Swift. The original Bash version (macshield.sh) is preserved for reference.
- Type-safe risk scoring with weighted categories (0-100 composite score, A-F grade)
- Weighted confidence metric — inconclusive checks degrade confidence proportional to category importance. A failed SIP check (30% weight) degrades confidence more than a failed file hygiene check (10% weight). The score explicitly warns you when confidence is low.
- Machine-readable output —
--format jsonfor CI/CD integration,--format humanfor terminal - 42 unit tests with full mock coverage (no real system calls in tests)
- New checks: AMFI status with value parsing, XProtect version extraction, unsigned persistence items, kernel extension audit, Rosetta detection
- Code signing verification at launch with designated requirement + team ID validation
- Hardened ProcessRunner — async pipe draining prevents deadlocks, real timeout enforcement with SIGKILL fallback, clamped timeout range
- OS version guardrails — TCC queries enforce macOS 14+ requirement to prevent silent misreporting
- Why it exists
- What it does
- Install
- Commands
- Port scanning
- Security audit
- Persistence check
- Harden your Mac manually
- Understanding DNS, VPNs, proxies, and where macshield fits
- Free VPN: Cloudflare WARP vs ProtonVPN
- Build your own VPN
- Security model
- Comparison
- Uninstall
- Troubleshooting
- Changelog
If you work in an enterprise, institution, or clinical setting, you MUST use your organization's corporate VPN, managed devices, and enterprise security policies. macshield is not a substitute for enterprise security infrastructure. Qinnovates is not liable for any security compromises resulting from the use of macshield in lieu of proper enterprise or institutional security controls.
macshield is for students, independent researchers, and individuals who want visibility into their Mac's security posture. It tells you what's exposed and teaches you how to fix it. macshield does not modify your system -- you decide what to change and run the commands yourself.
Any security tool that modifies your system introduces its own attack surface. This is the paradox of protection: the mechanism you install to defend yourself becomes a new thing to defend. A LaunchAgent can be hijacked. A sudoers fragment grants privilege. An automated trigger runs without your knowledge.
Previous versions of macshield included a LaunchAgent that auto-hardened on network changes. We removed it because dynamic security automation is itself an attack vector. A compromised plist can swap the binary target, and automated SSID detection runs without user interaction.
macshield v0.5.0 takes a different approach: analyze and educate, don't automate. It tells you exactly what's wrong and gives you the commands to fix it. You run them yourself. The tool's attack surface is zero because it never modifies anything.
| Command | What it checks |
|---|---|
macshield audit |
SIP, FileVault, Gatekeeper, firewall, stealth mode, Lockdown Mode, Secure Boot, XProtect, sharing services, privacy settings, WiFi security, ARP table, file hygiene |
macshield scan |
Open TCP/UDP ports, listening processes, firewall status |
macshield connections |
Active TCP connections with process names and remote endpoints |
macshield persistence |
Non-Apple LaunchAgents, LaunchDaemons, login items, cron jobs, kernel extensions |
macshield permissions |
TCC database: screen recording, accessibility, microphone, camera, full disk access, automation |
All commands are read-only. No sudo. No Keychain writes. No state files. No background processes. No network calls.
git clone https://github.com/qinnovates/macshield.git
cd macshield
swift build -c release
sudo cp .build/release/MacShield /usr/local/bin/macshieldgit clone https://github.com/qinnovates/macshield.git
cd macshield
chmod +x macshield.sh
sudo cp macshield.sh /usr/local/bin/macshieldmacshield audit Full security posture check with risk score
macshield audit --format json Machine-readable JSON output
macshield audit --format human Colored terminal output (default when TTY)
macshield scan Scan open TCP/UDP ports with process info
macshield connections Show active TCP connections with remote endpoints
macshield persistence List non-Apple LaunchAgents, LaunchDaemons, kexts, cron
macshield permissions Show apps with sensitive TCC permissions
macshield --version Print version
macshield --help Print help
macshield scan scans all open TCP and UDP ports on your machine using lsof. Each port is labeled with what it does (DNS, Bonjour, CUPS, AirPlay, etc.) or flagged as ** REVIEW ** if it's non-standard.
Before the scan runs, macshield tells you exactly what it will do, what it will not do, and asks for your explicit permission. Nothing happens without your consent.
What port scanning tells you: Which services on your Mac are listening for incoming connections. Useful for spotting unexpected listeners (a dev server you forgot, a service you didn't enable, or something you don't recognize).
What it does NOT do: It does not close ports, disable services, or change anything. It does not scan other machines. It reads local state from lsof and socketfilterfw only. Zero packets leave your machine.
Example output:
================================================================
macshield Port Scan Report
Generated: 2026-02-28 09:30:15
Host: MacBook Pro
================================================================
--- TCP LISTENING PORTS ---
PORT PROCESS PID NOTE
----------------------------------------------------------------------
631 cupsd 442 CUPS (printing)
5000 ControlCe 1203 AirPlay / UPnP
7000 ControlCe 1203 AirPlay streaming
Total TCP listeners: 3
Ports to review: 0
--- UDP PORTS ---
PORT PROCESS PID NOTE
----------------------------------------------------------------------
53 mDNSRespo 312 DNS (domain name resolution)
5353 mDNSRespo 312 mDNS / Bonjour
137 netbiosd 445 NetBIOS name service
Total UDP ports: 3
--- FIREWALL STATUS ---
Firewall: Firewall is enabled. (State = 1)
Stealth mode: Stealth mode enabled.
================================================================
You can run macshield scan on any network, including public WiFi, without risk. It sends zero packets to the network. Nothing for a network monitor to detect.
macshield scan --purge 5m # Save report, auto-delete after 5 minutes
macshield scan --quiet # Display only, no promptsmacshield audit runs a full security posture check with color-coded PASS/WARN/FAIL results.
What it checks:
| Category | Checks |
|---|---|
| System Protection | SIP, FileVault, Gatekeeper, Firewall, Stealth mode, Lockdown Mode, Secure Boot, XProtect |
| Sharing Services | Remote Login (SSH), Screen Sharing, File Sharing (SMB), Remote Management (ARD), Remote Apple Events, Bluetooth, AirDrop |
| Privacy Settings | Mac Analytics, Siri, Spotlight Suggestions, Personalized Ads |
| WiFi Security | Encryption type (WPA3/WPA2/WEP/Open), Private WiFi Address (MAC randomization), DNS servers |
| ARP Table | Duplicate MAC addresses (possible ARP spoofing / man-in-the-middle attack) |
| File Hygiene | .ssh directory permissions, SSH key permissions, .env files near home, plaintext .git-credentials, .netrc permissions |
macshield persistence lists everything that runs code automatically on your Mac that isn't from Apple:
- User LaunchAgents (
~/Library/LaunchAgents/) - System LaunchAgents (
/Library/LaunchAgents/) - System LaunchDaemons (
/Library/LaunchDaemons/) - Login Items
- Cron Jobs
- Non-Apple Kernel Extensions
Review any entries you don't recognize. This is one of the most useful checks for spotting unwanted software.
macshield tells you what's exposed. Here are the commands to fix it yourself:
Enable stealth mode (blocks ICMP pings and port scans):
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode onSet hostname to generic (prevents identity leaking on public WiFi):
sudo scutil --set ComputerName "MacBook Pro"
sudo scutil --set LocalHostName "MacBook-Pro"
sudo scutil --set HostName "MacBook-Pro"Disable NetBIOS (closes ports 137/138):
sudo launchctl bootout system/com.apple.netbiosdSet privacy-focused DNS (Quad9, blocks malware domains):
networksetup -setdnsservers Wi-Fi 9.9.9.9 149.112.112.112Undo everything:
# Disable stealth mode
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off
# Restore your personal hostname
sudo scutil --set ComputerName "Your Name MacBook"
sudo scutil --set LocalHostName "Your-Name-MacBook"
sudo scutil --set HostName "Your-Name-MacBook"
# Re-enable NetBIOS
sudo launchctl enable system/com.apple.netbiosd
sudo launchctl kickstart system/com.apple.netbiosd
# Reset DNS to ISP default
networksetup -setdnsservers Wi-Fi empty
sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponderWhat it does: Translates domain names into IP addresses. Every time you visit a website, your device asks a DNS server "where is this?"
Who sees your queries: By default, your ISP's DNS server. They see every domain you visit and may sell it to advertisers.
What changing DNS does: Switching to Cloudflare (1.1.1.1) or Quad9 (9.9.9.9) means your ISP no longer sees your DNS queries. Quad9 also blocks known malware domains.
What it does NOT do: Changing DNS does not encrypt your traffic or hide your IP address. It is not a VPN.
What it does: Encrypts all traffic between your device and the VPN server. Your ISP sees encrypted data going to one IP address.
What it does NOT do: A VPN does not hide your hostname on the local network. It does not block local network reconnaissance (ARP, mDNS, NetBIOS). It does not protect against malware on your device.
macshield is an analyzer. It checks whether your system is configured securely and tells you what to fix. It doesn't overlap with DNS providers or VPNs -- it checks whether you're using them properly.
| Provider | Addresses | Malware blocking | Jurisdiction | Organization |
|---|---|---|---|---|
| Quad9 | 9.9.9.9, 149.112.112.112 | Yes | Switzerland | Non-profit |
| Cloudflare | 1.1.1.1, 1.0.0.1 | No | United States | For-profit |
| Mullvad | 100.64.0.7 | No | Sweden | For-profit (VPN company) |
| Cloudflare WARP | ProtonVPN Free | |
|---|---|---|
| Best for | Security | Privacy |
| Jurisdiction | United States (Cloudflare Inc.) | Switzerland (Proton AG) |
| Speed | Fastest (300+ global edge nodes) | Good (5 free server locations) |
| Malware-blocking DNS | Free (1.1.1.2) | Paid only (NetShield) |
| Bandwidth cap | None | None |
| Open-source client | No | Yes (independently audited) |
| No-logs verification | Metadata deleted in 24h | Court-tested: subpoenaed in 2019, had nothing to hand over |
| Install | brew install --cask cloudflare-warp |
brew install --cask protonvpn |
If you cannot afford a commercial VPN subscription, you can build your own for under $5/month.
Option 1: Raspberry Pi at home (~$35-75 one-time)
Install PiVPN on any Raspberry Pi. Traffic tunnels through your home internet.
Option 2: Cloud VPS ($3-5/month)
Rent a cheap VPS (DigitalOcean, Vultr, Oracle Cloud free tier) and install WireGuard.
Option 3: SSH SOCKS tunnel (free)
ssh -D 1080 -N -f user@your-server.com
networksetup -setsocksfirewallproxy Wi-Fi localhost 1080
networksetup -setsocksfirewallproxystate Wi-Fi on- Zero attack surface. macshield is read-only. No sudo, no Keychain writes, no state files, no background processes. Nothing to compromise.
- Swift + open source. Every line is readable and auditable. Single dependency:
swift-argument-parser(Apple-maintained). The original Bash version is also preserved. - No network calls. macshield never phones home, never auto-updates, never sends telemetry. Zero packets leave your machine.
- No persistence. No LaunchAgent, no daemon, no cron job. macshield runs only when you invoke it.
- Code signing verification. The Swift binary verifies its own code signature at launch using the Security framework (SecStaticCode). Tampered binaries refuse to run.
- Parameterized SQL only. TCC database queries use sqlite3 C API with parameterized queries. No string interpolation of service names into SQL.
- Output includes hostname.
--format jsonoutput contains your Mac's hostname. Treat saved reports as potentially identifying information. - Confidence, not certainty. Every report includes a confidence metric. If checks could not run (no Full Disk Access, command timeout, unexpected output), the score explicitly says so instead of silently reporting PASS.
| Feature | macshield | Little Snitch | Intego NetBarrier | LuLu | ALBATOR |
|---|---|---|---|---|---|
| Security audit | Yes (risk scored) | No | No | No | Yes (static) |
| Port scanning | Yes | No | No | No | No |
| Persistence check | Yes (with signing) | No | No | No | No |
| Permissions audit | Yes (TCC) | No | No | No | No |
| Connection monitor | Yes | Yes | Yes | Yes | No |
| JSON output | Yes | No | No | No | No |
| Open source | Yes | No | No | Yes | Yes |
| Price | Free | $69 | $50/yr | Free | Free |
| Modifies system | No | Yes | Yes | Yes | Yes |
| Background process | No | Yes | Yes | Yes | N/A |
macshield --uninstallOr manually:
sudo rm /usr/local/bin/macshieldHomebrew:
brew uninstall macshield
brew untap qinnovates/toolsThe uninstaller also cleans up legacy artifacts from older macshield versions (LaunchAgents, LaunchDaemons, sudoers fragments, Keychain entries).
eval "$(/opt/homebrew/bin/brew shellenv)"Older versions installed a LaunchAgent, sudoers fragment, and Keychain entries. Run the new uninstaller to clean up:
./uninstall.shOr clean up manually:
launchctl bootout gui/$(id -u)/com.qinnovates.macshield 2>/dev/null
rm -f ~/Library/LaunchAgents/com.qinnovates.macshield.plist
sudo rm -f /Library/LaunchDaemons/com.qinnovates.macshield.plist
sudo rm -f /etc/sudoers.d/macshieldComplete Swift rewrite. Type-safe. Testable. Machine-readable.
Full rewrite from 1153-line Bash script to Swift 6.0 with SwiftPM. 42 unit tests, zero warnings.
- New: Weighted risk scoring (0-100) with confidence metric across 6 categories
- New: INCONCLUSIVE status — checks that fail to run degrade confidence instead of silently passing
- New:
--format jsonfor CI/CD integration,--format humanfor terminal - New: AMFI status check with value parsing (not just key presence)
- New: XProtect version extraction, non-Apple kext detection, unsigned persistence items
- New: Code signing self-verification at launch (SecStaticCode + team ID)
- New: TCC queries via parameterized sqlite3 C API with OS version guardrail
- New: Hardened ProcessRunner with async pipe draining, real timeout, SIGKILL fallback
- Fixed: SIP substring false positive (
"disabled".contains("enabled")wastrue) - Fixed: All string-based categories replaced with compiler-enforced enums
- Dependency: swift-argument-parser only (Apple-maintained)
Analyzer-only. Removed all system modifications.
Any security tool that modifies your system introduces its own attack surface -- the paradox of protection. Previous versions included a LaunchAgent, sudoers fragment, HMAC-based trust storage, and automated triggering on network changes. Each was a potential vector: a compromised plist could swap the binary target, the sudoers fragment granted privilege, and automated SSID detection ran without user interaction.
v0.5.0 strips macshield down to pure read-only analysis with zero attack surface. The tool tells you what's wrong and teaches you how to fix it. You run the commands yourself.
- Removed:
harden,relax,trust,untrust,--trigger,--check,setup - Removed: LaunchAgent, LaunchDaemon, sudoers fragment, Keychain writes, HMAC trust storage, integrity check, state tracking
- Removed:
install.shsetup wizard (8 steps reduced to 1: copy the binary) - Kept:
scan,audit,connections,persistence,permissions,purge - Added: Manual hardening commands in help text and README
- Uninstaller cleans up all legacy artifacts from older versions
Self-integrity check.
- On install, macshield stored a SHA-256 hash in Keychain and verified on launch
Free VPN options. Full-stack protection for students on public WiFi.
- Added Cloudflare WARP and ProtonVPN to installer
- DNS step context-aware based on VPN choice
LaunchAgent + scoped sudo. Color output. Security reports.
- Added:
scan,audit,connections,persistence,permissions
Replaced sudoers fragment with LaunchDaemon.
Initial release. Stealth mode, hostname protection, NetBIOS control, HMAC-SHA256 trust storage, Homebrew tap.
Full changelog: CHANGELOG.md