#!/bin/bash
# UAML Operator Workstation Hardening — macOS
# Review every command before running. Re-running is safe.
set -e

if [ "$(id -u)" -ne 0 ]; then
  echo "This script must run as root (sudo)." >&2
  exit 1
fi

findings=()
applied=()

echo "=== 1. macOS application firewall ==="
/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
applied+=("appfirewall")

echo "=== 2. Auto-update check ==="
softwareupdate --schedule on || true
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallAppUpdates -bool true
defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true
defaults write /Library/Preferences/com.apple.SoftwareUpdate ConfigDataInstall -bool true
defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true
applied+=("auto-updates")

echo "=== 3. FileVault check ==="
fv_status=$(fdesetup status 2>/dev/null | head -1)
if [[ "$fv_status" != *"On"* ]]; then
  findings+=("FileVault is OFF; enable manually via System Settings → Privacy & Security")
fi

echo "=== 4. SSH (if user enabled remote login) ==="
if launchctl list 2>/dev/null | grep -q com.openssh.sshd; then
  cat > /etc/ssh/sshd_config.d/00-uaml-operator-hardening.conf <<'CFG'
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
CFG
  launchctl kickstart -k system/com.openssh.sshd 2>/dev/null || true
  applied+=("ssh-hardening")
fi

echo
echo "Applied: ${applied[*]:-none}"
echo "Findings: ${findings[*]:-none}"