Since /etc/ is a symbolic link to /private/etc/ on OS X, aren't /etc/hosts and /private/etc/hosts the same file? I'm not sure what is meant by:

! But there is local per User hosts file "/private/etc/hosts"

Minor note, but Lockdown.app has many false-postive/negatives on OS X 10.11.6. It doesn't seem to be updated for El Capitan.

Here are two examples of confusing results for an audit:

Enabling Filevault 2 lists Admin users at boot regardless of the "Display login window as: Name and password" in the Users and Groups login options.

Is there a work around?

Never edit the sudoers file directly. Always use visudo and work on a file in /etc/sudoers.d/ or you will suffer great pain as you mangle the file and suddenly have to reload the OS because of a typo causing invalid syntax. Using visudo checks before installing your changes, and working on a separate file means you can remove the offending file in worst case to recover. Multiple files are also much easier for cfgmgmt to work with.

Also, disabling caching is a pretty sure way to guarantee users add in entries like:

Defaults:%group !authenticate

which completely bypasses reauthentication.

I did the Automatically Lock the Login Keychain thing. It makes me crazy, asking for my loooong passphrases way too frequently. I went to Keychain Access selected the login Keychain, and turned it off. I still get prompted for ssh passphrases, ScanSnap, blah blah blah. How do I really stop this?

Hello,

For two updates or so on Mojave I've encountered an issue regarding the part about the use of the pwpolicy command. For example the option setpolicy is now deprecated and even though I tried to bypass it by playing with other options in many ways to figure out how to kind of properly set up the same command as the one show in the guide:

pwpolicy -u -setpolicy "minChars=8 requiresAlpha=1 requiresNumeric=1 maxMinutesUntilChangePassword=259200 usingHistory=5 usingExpirationDate=1 passwordCannotBeName=1 requiresMixedCase=1 requiresSymbol=1"

It didn't work and the related file that the command writes in isn't updated as it was before. Did some of you figured out a way yet to enforce such a policy on recent Mojave updates?

Thank you!