fort

Product Introduction

1. Definition: fort is an open-source, command-line security audit and remediation tool specifically for macOS systems. It is a single, statically compiled Go binary designed to run local security checks against over 15 system controls without requiring external agents, user accounts, or management profiles.

2. Core Value Proposition: fort exists to provide instant, transparent, and automated Mac security hardening for individuals and teams. It solves the problem of complex, manual security audits and the overhead of Mobile Device Management (MDM) solutions, enabling developers and small organizations to quickly verify and enforce a hardened macOS configuration compliant with standards like SOC 2 and ISO 27001.

Main Features

1. Comprehensive Security Audit: fort performs an immediate audit of 15+ critical macOS security settings. It uses stable, documented system APIs (e.g., fdesetup, launchctl, socketfilterfw) to check the status of FileVault disk encryption, System Integrity Protection (SIP), application firewall, screen lock policies, SSH remote login, sharing services, AirDrop configuration, and more. The audit completes in under three seconds and outputs a clear score with pass/fail status for each control.

2. Automatic Remediation (--fix): Most audit findings can be automatically corrected using the --fix flag. The tool safely modifies system settings to enable FileVault, activate the firewall, enforce immediate screen lock, disable unnecessary services (like SSH or guest account), and enable Touch ID for sudo. A --dry-run mode allows users to preview changes before execution, ensuring transparency and control.

3. Actionable Reporting (--report): fort generates a self-contained, timestamped HTML report with a full snapshot of the machine's security posture. The report details machine identity, serial number, the exact terminal command and raw output for every check, and maps findings to relevant controls from compliance frameworks like SOC 2, ISO 27001, NIST CSF, and CIS. This document is designed for audit evidence and can be printed to PDF directly from a browser.

Problems Solved

1. Pain Point: Manual security audits of macOS are time-consuming, error-prone, and require deep expertise to ensure all controls are correctly configured and verified for compliance.

2. Target Audience: Solo developers and power users needing to harden their personal workstations; small teams and IT consultants managing a handful of Macs without a dedicated IT department; security-conscious professionals who require transparent, privacy-respecting tools for personal device security; and startups or teams beginning their compliance journey (SOC 2, ISO 27001) and needing a lightweight alternative to enterprise MDM.

3. Use Cases: A developer preparing their machine for SOC 2 certification can run fort --fix to remediate common audit findings in minutes. A consultant auditing a client's Mac for ISO 27001 readiness can generate an instant, shareable compliance report. A privacy-focused user can verify no telemetry is running and that all sharing services are disabled with a single command.

Unique Advantages

1. Differentiation: Unlike traditional Mac security suites (like Malwarebytes or enterprise EDR solutions) or MDM platforms (like Jamf), fort requires no agent, no background process, no user signup, and no network connectivity to function. It contrasts with complex security tools by being a single, executable file that performs a one-shot audit and exits, leaving no footprint.

2. Key Innovation: The core innovation is the agentless, single-binary architecture combined with transparent auto-remediation. fort reads and modifies system state directly through stable OS APIs, providing immediate feedback and fixes. Its MIT license and fully visible command output (via the report feature) establish complete trust and audibility, which is critical for security tools.

Frequently Asked Questions (FAQ)

1. What specific macOS security settings does fort check and fix? fort checks over 15 controls, including FileVault disk encryption, SIP status, application firewall, screen lock delay, remote login (SSH), sharing services (File, Screen, Remote Management), AirDrop settings, Gatekeeper, automatic OS updates, local admin rights, guest account status, automatic login, OS patch status, presence of a password manager, antivirus/EDR solutions, and Touch ID for sudo. It can automatically fix most of these settings to their secure defaults.

2. Is fort compatible with MDM-managed Macs, and will it conflict with existing policies? fort is designed for standalone Macs but can be used alongside MDM. It reads current system state and modifies settings directly. While it won't inherently conflict, changes made by fort --fix could potentially be overridden by a subsequent MDM check-in if the MDM policy is stricter. It is best used as a supplementary tool for verifying baseline settings or for managing unmanaged devices.

3. How does fort ensure privacy and security as a tool that modifies system settings? fort operates with a privacy-first, transparent design. It requires no network calls for its core audit and fix functions, generates no telemetry, and has no background process. It uses only documented, stable macOS APIs and does not employ private frameworks. The HTML report shows the exact command and raw output for every check, allowing full verification of its actions.

4. Can fort be used as part of an automated CI/CD pipeline or fleet management strategy? Currently, fort is a CLI tool designed for interactive or scripted use on individual machines. While you could run it via script, there is no built-in fleet management or centralized dashboard. The "Coming Soon" section mentions a planned team dashboard for fleet views and policy files, but for now, it is best suited for point-in-time audits on specific endpoints.

5. What are the system requirements for running fort, and how do I install it? fort requires macOS 12 (Monterey) or later, running on Apple Silicon or Intel. It has no external dependencies beyond the base OS. You can install it easily via Homebrew (brew install djadmin/tap/fort), by downloading the pre-built binary from GitHub Releases, or by compiling from source with Go 1.21+ using go install.