This repository contains scripts and configuration files to automate the hardening of MacOS (Intel and Apple Silicon). It aims to enhance security, privacy, and anonymity by applying best practices inspired by the drduh/macOS-Security-and-Privacy-Guide and privacy.sexy.
A significant portion of the aggressive privacy tuning and "Privacy Over Security" configurations found within this toolkit's macOS hardening logic is directly influenced by and adapted from the excellent work over at privacy.sexy by undergroundwires. We highly recommend checking out their project for comprehensive cross-platform privacy scripts.
When you run better-anonymity install (or "Install CLI Aliases"), the following shortcuts are added to your shell (~/.zshrc):
| Alias | Equivalent Command | Description |
|---|---|---|
torify |
export ALL_PROXY=... |
Enables Tor SOCKS5 proxy for current shell session |
untorify |
unset ALL_PROXY |
Disables Tor proxy for current shell session |
tor-run <cmd> |
env ALL_PROXY=... <cmd> |
Runs a single command through Tor (e.g., tor-run curl ifconfig.me) |
stay-connected |
b-a captive monitor |
Monitoring tool for flaky Wi-Fi / Captive Portals |
i2pify |
export http_proxy=... |
Enables I2P HTTP proxy for current shell session |
USE AT YOUR OWN RISK.
These scripts modify system settings, network configurations, and application preferences. While every effort has been made to ensure safety, applying these settings may break functionality (e.g., Handoff, AirDrop, certain iCloud features).
- Always backup your data before running these scripts.
- Review the scripts before execution to understand what changes will be applied.
- It is recommended to test in a Virtual Machine first.
- OS Hardening: Disables telemetry, enables firewall with hardware-level IP blocklists (
pfctl), configures secure boot requirements. - Network Privacy: DNS configuration, Privoxy setup for local proxying, Boot-persistent MAC Spoofing via event-driven LaunchDaemons.
- Browser Hardening: Automated surgical
user.jsinjection for Firefox/LibreWolf privacy. - Anonymity: Scripts to assist with Tor configuration and I2P installation.
- UX: Automatic Sudo Keep-Alive to minimize password prompts during setup.
Choose your preferred installation method:
Install directly using our custom Homebrew tap:
brew tap johnpatrickroach/better-anonymity
brew install better-anonymityYou can install the highly accessible Python wrapper directly from PyPI. This will automatically install dependencies and place the CLI in your $PATH.
pip install better-anonymityNote: On newer macOS versions, you might encounter an "externally-managed-environment" error. If so, we recommend using pipx install better-anonymity.
If you prefer to run the raw Bash scripts or want to contribute to the codebase, clone the repository directly:
git clone https://github.com/johnpatrickroach/better-anonymity.git
cd better-anonymityThen, manually install the global aliases (b-a):
./bin/better-anonymity installBy default, running better-anonymity harden will comprehensively execute every macOS privacy and security countermeasure built into the toolkit.
However, you can surgically customize exactly which actions execute by modifying the config/settings.json file natively included in the repository.
{
"hardening": {
"enable_firewall": true,
"disable_analytics": false,
"anonymize_hostname": true,
"ensure_lockdown": false
}
}If you set any specific module to false, the hardening script will structurally bypass that component during execution without prompt. This is ideal for building tailored execution baselines that don't intrude on explicit network features you rely on.
-
First Run Setup: Launch the interactive wizard to apply the security baseline.
better-anonymity setup
-
Check Your Score: Analyze your system's current privacy/anonymity status.
better-anonymity diagnose
-
Interactive Menu: Explore all features via the dashboard.
better-anon
You can use the interactive menu or individual commands. CLI aliases better-anonymity, better-anon, and b-a are interchangeable.
-
Diagnosis:
b-a diagnose b-a --version
-
Explaining Commands: Use the
--explainflag with any command to see what it does without running it.b-a setup --explain b-a network-anon --explain
-
Hardening:
b-a harden # Apply macOS hardening b-a ssh # SSH Hardening menu
-
Tools:
b-a tor install b-a install signal b-a dns quad9 b-a network-open # Restore network defaults b-a network-anon # Enable all anonymity services b-a captive monitor # Launch connectivity monitor
Keep your installation current:
b-a check-update # Check if updates are available
b-a update # Auto-upgrades via Brew, Pip, or Git natively
b-a test # Run unit testsTo remove the CLI aliases (b-a, better-anon) from your system:
better-anonymity uninstallNew: You will be prompted to:
- Restore System State: Revert Hostname, DNS, and Firewall to their original values (captured during setup).
- Uninstall Tools: Automatically remove tools installed by
better-anonymity(e.g., Tor, Privoxy). - Scrub Environment: Remove the
~/.better-anonymitycache and dynamically wipe the convenience alias blocks from your~/.zshrc.
Note: Manual verification is recommended after uninstallation to ensure all desired changes are reverted.
For detailed information on each module, please refer to the specific documentation:
- OS Hardening: Firewall, Analytics, Spotlight, Screen Saver.
- Network Privacy: DNS configuration and Wi-Fi hygiene.
- Privoxy: Local proxy for adblocking and privacy.
- Tor: Anonymity network configuration.
- Firefox Hardening:
user.jsconfiguration. - GPG: Strong cryptography settings.
- Password Generator: Strong passphrase generation.
To enable zsh completions (tab-autocomplete), add the following to your .zshrc:
# Add better-anonymity completions to fpath
echo 'fpath=(/path/to/better-anonymity/completions $fpath)' >> ~/.zshrc
echo 'autoload -Uz compinit && compinit' >> ~/.zshrcMIT