#!/bin/bash # ============================================================ # PolarGuarded Security Scanner v1.0 — macOS # Canadian Cybersecurity — polarguarded.com # ============================================================ SCAN_DATE=$(date "+%B %d, %Y %H:%M") HOSTNAME=$(hostname) USERNAME=$(whoami) OS_NAME=$(sw_vers -productName) OS_VERSION=$(sw_vers -productVersion) REPORT_PATH="$HOME/Desktop/PolarGuarded-Report-$(date '+%Y-%m-%d-%H%M').html" echo "" echo " ========================================" echo " POLARGUARDED SECURITY SCANNER v1.0" echo " polarguarded.com" echo " ========================================" echo "" echo " Computer : $HOSTNAME" echo " User : $USERNAME" echo " OS : $OS_NAME $OS_VERSION" echo " Date : $SCAN_DATE" echo "" CHECKS_JSON="" add_check() { local category="$1" local check="$2" local status="$3" local detail="$4" local risk="$5" CHECKS_JSON="${CHECKS_JSON}${category}${check}${status}${detail}${risk}" } # ── 1. FIREWALL ────────────────────────────────────────────── echo " [1/12] Checking Firewall..." FW=$(/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate 2>/dev/null) if echo "$FW" | grep -q "enabled"; then add_check "Firewall" "Application Firewall" "PASS" "Firewall is enabled. Incoming connections are being filtered." "low" else add_check "Firewall" "Application Firewall" "FAIL" "Firewall is DISABLED. Enable it in System Settings > Network > Firewall." "critical" fi # ── 2. FILEVAULT ───────────────────────────────────────────── echo " [2/12] Checking FileVault encryption..." FV=$(fdesetup status 2>/dev/null) if echo "$FV" | grep -q "FileVault is On"; then add_check "Encryption" "FileVault Disk Encryption" "PASS" "FileVault is ON. Your disk is encrypted and protected if your Mac is lost or stolen." "low" else add_check "Encryption" "FileVault Disk Encryption" "FAIL" "FileVault is OFF. Enable it in System Settings > Privacy & Security > FileVault." "high" fi # ── 3. SYSTEM UPDATES ──────────────────────────────────────── echo " [3/12] Checking system updates..." UPDATES=$(softwareupdate -l 2>&1) if echo "$UPDATES" | grep -q "No new software available"; then add_check "Updates" "macOS System Updates" "PASS" "Your Mac is fully up to date. No pending updates found." "low" else COUNT=$(echo "$UPDATES" | grep -c "^\*" 2>/dev/null || echo "1") add_check "Updates" "macOS System Updates" "WARN" "${COUNT} update(s) available. Install them to stay protected against known vulnerabilities." "medium" fi # ── 4. GATEKEEPER ──────────────────────────────────────────── echo " [4/12] Checking Gatekeeper..." GK=$(spctl --status 2>/dev/null) if echo "$GK" | grep -q "assessments enabled"; then add_check "Security" "Gatekeeper" "PASS" "Gatekeeper is enabled. Only apps from trusted sources can be installed." "low" else add_check "Security" "Gatekeeper" "FAIL" "Gatekeeper is DISABLED. Any app can be installed regardless of source. Re-enable in System Settings." "critical" fi # ── 5. REMOTE LOGIN (SSH) ──────────────────────────────────── echo " [5/12] Checking Remote Login..." SSH=$(systemsetup -getremotelogin 2>/dev/null) if echo "$SSH" | grep -q "Off"; then add_check "Network" "Remote Login (SSH)" "PASS" "Remote Login is disabled. Good — SSH access is not exposed." "low" else add_check "Network" "Remote Login (SSH)" "WARN" "Remote Login (SSH) is ENABLED. Disable it in System Settings > General > Sharing if not needed." "high" fi # ── 6. REMOTE DESKTOP ──────────────────────────────────────── echo " [6/12] Checking Remote Desktop..." RD=$(systemsetup -getremoteappleevents 2>/dev/null) if echo "$RD" | grep -q "Off"; then add_check "Network" "Remote Apple Events" "PASS" "Remote Apple Events are disabled." "low" else add_check "Network" "Remote Apple Events" "WARN" "Remote Apple Events are ENABLED. Disable in System Settings > General > Sharing if not needed." "medium" fi # ── 7. SCREEN SHARING ──────────────────────────────────────── echo " [7/12] Checking Screen Sharing..." SS=$(launchctl list 2>/dev/null | grep -i "screensharing") if [ -z "$SS" ]; then add_check "Network" "Screen Sharing" "PASS" "Screen Sharing is disabled. Good." "low" else add_check "Network" "Screen Sharing" "WARN" "Screen Sharing appears to be active. Disable in System Settings > General > Sharing if not needed." "medium" fi # ── 8. GUEST ACCOUNT ───────────────────────────────────────── echo " [8/12] Checking Guest account..." GUEST=$(defaults read /Library/Preferences/com.apple.loginwindow GuestEnabled 2>/dev/null) if [ "$GUEST" = "0" ] || [ -z "$GUEST" ]; then add_check "Accounts" "Guest Account" "PASS" "Guest account is disabled. Unauthorized local access is restricted." "low" else add_check "Accounts" "Guest Account" "FAIL" "Guest account is ENABLED. Disable it in System Settings > Users & Groups." "high" fi # ── 9. AUTOMATIC LOGIN ─────────────────────────────────────── echo " [9/12] Checking Automatic Login..." AL=$(defaults read /Library/Preferences/com.apple.loginwindow autoLoginUser 2>/dev/null) if [ -z "$AL" ]; then add_check "Accounts" "Automatic Login" "PASS" "Automatic login is disabled. A password is required to log in." "low" else add_check "Accounts" "Automatic Login" "FAIL" "Automatic login is ENABLED for user: $AL. Anyone can access this Mac without a password." "critical" fi # ── 10. OPEN PORTS ─────────────────────────────────────────── echo " [10/12] Scanning open ports..." RISKY_PORTS="21 23 25 135 139 445 3389 5900 8080" OPEN_PORTS=$(netstat -an 2>/dev/null | grep LISTEN | awk '{print $4}' | rev | cut -d. -f1 | rev | sort -un) RISKY_FOUND="" for port in $RISKY_PORTS; do if echo "$OPEN_PORTS" | grep -qw "$port"; then RISKY_FOUND="$RISKY_FOUND $port" fi done if [ -z "$RISKY_FOUND" ]; then add_check "Network" "Open Ports" "PASS" "No high-risk ports detected." "low" else add_check "Network" "Open Ports" "FAIL" "High-risk ports open:$RISKY_FOUND. These can be exploited by attackers." "high" fi # ── 11. SUSPICIOUS PROCESSES ───────────────────────────────── echo " [11/12] Checking running processes..." SUSPICIOUS="mimikatz meterpreter netcat nmap wireshark psexec" FOUND_PROCS="" for proc in $SUSPICIOUS; do if pgrep -i "$proc" > /dev/null 2>&1; then FOUND_PROCS="$FOUND_PROCS $proc" fi done if [ -z "$FOUND_PROCS" ]; then add_check "Processes" "Suspicious Processes" "PASS" "No known suspicious processes detected." "low" else add_check "Processes" "Suspicious Processes" "FAIL" "Suspicious process(es) detected:$FOUND_PROCS. Investigate immediately." "critical" fi # ── 12. SIP STATUS ─────────────────────────────────────────── echo " [12/12] Checking System Integrity Protection..." SIP=$(csrutil status 2>/dev/null) if echo "$SIP" | grep -q "enabled"; then add_check "Security" "System Integrity Protection (SIP)" "PASS" "SIP is enabled. Core system files are protected from modification." "low" else add_check "Security" "System Integrity Protection (SIP)" "FAIL" "SIP is DISABLED. Core system files are unprotected. Re-enable via macOS Recovery." "critical" fi # ── CALCULATE SCORE ────────────────────────────────────────── TOTAL=12 PASSED=$(echo "$CHECKS_JSON" | grep -o "PASS" | wc -l | tr -d ' ') WARNINGS=$(echo "$CHECKS_JSON" | grep -o "WARN" | wc -l | tr -d ' ') FAILED=$(echo "$CHECKS_JSON" | grep -o "FAIL" | wc -l | tr -d ' ') SCORE=$(( (PASSED * 100) / TOTAL )) if [ $SCORE -ge 90 ]; then GRADE="A" elif [ $SCORE -ge 75 ]; then GRADE="B" elif [ $SCORE -ge 60 ]; then GRADE="C" elif [ $SCORE -ge 40 ]; then GRADE="D" else GRADE="F" fi if [ $SCORE -ge 90 ]; then GRADE_COLOR="#3fd68a" elif [ $SCORE -ge 75 ]; then GRADE_COLOR="#5bc8f5" elif [ $SCORE -ge 60 ]; then GRADE_COLOR="#f5a623" else GRADE_COLOR="#ff4f4f" fi echo "" echo " ========================================" echo " SCAN COMPLETE" echo " ========================================" echo " Score : $SCORE/100 (Grade: $GRADE)" echo " Passed : $PASSED checks" echo " Warnings: $WARNINGS checks" echo " Failed : $FAILED checks" echo "" echo " Generating HTML report..." # ── BUILD HTML ─────────────────────────────────────────────── build_checks_html() { local html="" local current_cat="" while IFS= read -r line; do cat=$(echo "$line" | sed 's/.*\(.*\)<\/CATEGORY>.*/\1/') name=$(echo "$line" | sed 's/.*\(.*\)<\/NAME>.*/\1/') status=$(echo "$line" | sed 's/.*\(.*\)<\/STATUS>.*/\1/') detail=$(echo "$line" | sed 's/.*\(.*\)<\/DETAIL>.*/\1/') if [ "$cat" != "$current_cat" ]; then if [ -n "$current_cat" ]; then html="${html}"; fi html="${html}
${cat}
" current_cat="$cat" fi if [ "$status" = "PASS" ]; then color="#3fd68a"; bg="rgba(63,214,138,0.08)"; border="rgba(63,214,138,0.2)"; icon="✓" elif [ "$status" = "WARN" ]; then color="#f5a623"; bg="rgba(245,166,35,0.08)"; border="rgba(245,166,35,0.2)"; icon="⚠" else color="#ff4f4f"; bg="rgba(255,79,79,0.08)"; border="rgba(255,79,79,0.2)"; icon="✕" fi html="${html}
${icon}${name}${status}
${detail}
" done < <(echo "$CHECKS_JSON" | grep -o ".*" | sed 's/<\/CHECK>/\n/g' | sed 's///g' | sed 's/<\/CHECK>//g') if [ -n "$current_cat" ]; then html="${html}
"; fi echo "$html" } CHECKS_HTML=$(build_checks_html) cat > "$REPORT_PATH" << HTMLEOF PolarGuarded Security Report — $HOSTNAME
PolarGuarded macOS
SECURITY SCAN REPORT
Generated: $SCAN_DATE
polarguarded.com
$SCORE
Score
Grade $GRADE
$PASSED
Passed
$WARNINGS
Warnings
$FAILED
Failed
$TOTAL
Total Checks
Computer: $HOSTNAME
User: $USERNAME
OS: $OS_NAME $OS_VERSION
$CHECKS_HTML

Stay Protected with PolarGuarded Pro

This Mac scan is just the start. PolarGuarded Pro gives you unlimited online scans for URLs, files, phone numbers, and emails — plus a built-in VPN to encrypt your connection on any network.

Upgrade to Pro — $9/mo CAD
Unlimited URL & file scans
Phone scam detection
Email risk checker
PolarGuarded VPN
Cancel anytime
PolarGuarded Security Scanner v1.0 — macOS  ·  polarguarded.com  ·  Built in Canada 🇨🇦
This report was generated locally on your device. No data was sent to PolarGuarded servers.
HTMLEOF echo " Report saved to Desktop" echo "" echo " Opening report..." open "$REPORT_PATH" echo "" echo " ========================================" echo " Scan complete! Check your desktop." echo " ========================================" echo "" echo " Visit polarguarded.com for unlimited" echo " online scanning and Pro features." echo ""