From f53f60aac8483879f2cca1bfb0832074f4f46065 Mon Sep 17 00:00:00 2001
From: Michele Cereda <cereda.michele@gmail.com>
Date: Fri, 19 Jan 2024 18:59:46 +0100
Subject: [PATCH] feat: how to securely delete files

---
 knowledge base/gnu userland/coreutils.md      | 31 +++++++
 ...coreutils.placeholder => date.placeholder} |  0
 knowledge base/gnu userland/shred.md          | 47 ++++++++++
 knowledge base/mac os x/README.md             | 87 ++++++++++---------
 knowledge base/securely delete files.md       | 42 +++++++++
 5 files changed, 167 insertions(+), 40 deletions(-)
 create mode 100644 knowledge base/gnu userland/coreutils.md
 rename knowledge base/gnu userland/{coreutils.placeholder => date.placeholder} (100%)
 create mode 100644 knowledge base/gnu userland/shred.md
 create mode 100644 knowledge base/securely delete files.md

diff --git a/knowledge base/gnu userland/coreutils.md b/knowledge base/gnu userland/coreutils.md
new file mode 100644
index 0000000..e03ca94
--- /dev/null
+++ b/knowledge base/gnu userland/coreutils.md	
@@ -0,0 +1,31 @@
+# Coreutils
+
+The basic utilities for file, shell and text manipulation of any GNU operating system.<br/>
+These are expected to be available on every operating system.
+
+1. [Further readings](#further-readings)
+1. [Sources](#sources)
+
+## Further readings
+
+- [`shred`][shred]
+
+## Sources
+
+All the references in the [further readings] section, plus the following:
+
+- [GNU Coreutils]
+
+<!--
+  References
+  -->
+
+<!-- In-article sections -->
+[further readings]: #further-readings
+
+<!-- Knowledge base -->
+[date]: date.placeholder
+[shred]: shred.md
+
+<!-- Upstream -->
+[gnu coreutils]: https://www.gnu.org/software/coreutils/
diff --git a/knowledge base/gnu userland/coreutils.placeholder b/knowledge base/gnu userland/date.placeholder
similarity index 100%
rename from knowledge base/gnu userland/coreutils.placeholder
rename to knowledge base/gnu userland/date.placeholder
diff --git a/knowledge base/gnu userland/shred.md b/knowledge base/gnu userland/shred.md
new file mode 100644
index 0000000..fdc1a4e
--- /dev/null
+++ b/knowledge base/gnu userland/shred.md	
@@ -0,0 +1,47 @@
+# `shred`
+
+Overwrites devices or files in a way that helps prevent even extensive forensics from recovering the data.
+
+1. [TL;DR](#tldr)
+1. [Further readings](#further-readings)
+1. [Sources](#sources)
+
+## TL;DR
+
+```sh
+# Pass on files more than 3 times.
+shred -fn '10' 'path/to/file.1' … 'path/to/file.N'
+shred --force --iterations '10' 'path/to/file.1' … 'path/to/file.N'
+
+# Delete files and try hiding the shredding.
+shred -uvz 'path/to/file.1' … 'path/to/file.N'
+shred --remove --verbose --zero 'path/to/file.1' … 'path/to/file.N'
+
+# Purge directories.
+# `shred` does *not* accept directories as arguments.
+find 'directory' -type f -exec shred -fu {} '+' \
+&& find 'directory' -type d -empty -print -delete
+```
+
+## Further readings
+
+- [Coreutils]
+
+## Sources
+
+All the references in the [further readings] section, plus the following:
+
+- [`shred`: remove files more securely][shred: remove files more securely]
+
+<!--
+  References
+  -->
+
+<!-- In-article sections -->
+[further readings]: #further-readings
+
+<!-- Knowledge base -->
+[coreutils]: coreutils.md
+
+<!-- Upstream -->
+[shred: remove files more securely]: https://www.gnu.org/software/coreutils/manual/html_node/shred-invocation.html
diff --git a/knowledge base/mac os x/README.md b/knowledge base/mac os x/README.md
index 1a40dfe..160c3ae 100644
--- a/knowledge base/mac os x/README.md	
+++ b/knowledge base/mac os x/README.md	
@@ -1,7 +1,5 @@
 # Mac OS X
 
-## Table of contents <!-- omit in toc -->
-
 1. [TL;DR](#tldr)
 1. [Hidden settings](#hidden-settings)
 1. [Image manipulation](#image-manipulation)
@@ -23,22 +21,6 @@
 ## TL;DR
 
 ```sh
-# Keep the system awake.
-caffeinate
-caffeinate -t 600
-
-# Do a network speed test.
-networkquality -sv
-
-# List open ports.
-netstat
-netstat -n -p 'tcp'
-lsof -n -i ':443'
-sudo lsof -n -i 'TCP' -s 'TCP:LISTEN'
-
-# Get the PID of processes using specific ports.
-lsof -nt -i ':443'
-
 # Install Xcode CLI tools.
 xcode-select --install
 
@@ -48,6 +30,7 @@ xcode-select -p
 # Remove Xcode tools.
 sudo rm -rf $(xcode-select -p)
 
+
 # List all available updates.
 softwareupdate --list --all
 
@@ -58,54 +41,74 @@ softwareupdate --install --recommended --restart --agree-to-license
 # Download (but not install) recommended updates.
 softwareupdate --download --recommended
 
-# Check an NFS share is available on the network.
+
+# Keep the system awake.
+caffeinate
+caffeinate -t '600'
+
+# Perform network speed tests.
+networkquality -sv
+
+# List open ports.
+netstat
+netstat -n -p 'tcp'
+lsof -n -i ':443'
+sudo lsof -n -i 'TCP' -s 'TCP:LISTEN'
+
+# Get the PID of processes using specific ports.
+lsof -nt -i ':443'
+
+# Clear the DNS cache.
+sudo dscacheutil -flushcache; sudo killall -HUP 'mDNSResponder'
+
+
+# Check NFS shares are available on the network.
 showmount -e 'host'
 
-# Mount an NFS share.
+# Mount NFS shares.
 sudo mount -t 'nfs' 'host:/path/to/share' 'path/to/mount/point'
 sudo mount -t 'nfs' -o 'rw,resvport' 'host:/path/to/share' 'path/to/mount/point'
 
-# Install a .pkg file from CLI.
-# 'target' needs to be a device, not a path.
-installer -pkg /path/to/non-root-package.pkg -target CurrentUserHomeDirectory
-sudo installer -pkg /path/to/root-needed-package.pkg -target /
 
-# Clear the DNS cache.
-sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
+# Install .pkg files from CLI.
+# 'target' needs to be a *device*, not a path.
+installer -pkg '/path/to/nonroot-package.pkg' -target 'CurrentUserHomeDirectory'
+sudo installer -pkg '/path/to/root-needed-package.pkg' -target '/'
 
-# Add a password to the default keychain.
+
+# Add passwords to the default keychain.
 # The password needs to be left last.
-security add-generic-password -a johnny -s github -w 'b.good'
-
-# Add a password to the default keychain giving it some optional data.
-security add-generic-password -a johnny -s github -l work \
+security add-generic-password -a 'johnny' -s 'github' -w 'b.good'
+security add-generic-password -a 'johnny' -s 'github' -l 'work' \
   -j 'my key for work' -w 'b.good'
 
 # Update passwords' value.
-security add-generic-password -a johnny -s github -l work -U -w 'new-pass'
+security add-generic-password -a 'johnny' -s 'github' -l 'work' -U -w 'new-pass'
 
 # Print passwords to stdout.
-security find-generic-password -w -a johnny -s github
-security find-generic-password -w -l work
-security find-generic-password -w -l work -s github
+security find-generic-password -w -a 'johnny' -s 'github'
+security find-generic-password -w -l 'work'
+security find-generic-password -w -l 'work' -s 'github'
+
+# Delete passwords from the default keychain.
+security delete-generic-password -a 'johnny' -s 'github'
 
-# Delete a password from the default keychain.
-security delete-generic-password -a johnny -s github
 
 # Get the host's bonjour name.
 scutil --get LocalHostName
 /usr/libexec/PlistBuddy -c "Print :System:Network:HostNames:LocalHostName" \
-  /Library/Preferences/SystemConfiguration/preferences.plist
+  '/Library/Preferences/SystemConfiguration/preferences.plist'
 
 # Get the host's netbios name.
 defaults read /Library/Preferences/SystemConfiguration/com.apple.smb.server NetBIOSName
 /usr/libexec/PlistBuddy -c "Print :NetBIOSName" \
-  /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
+  '/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist'
 
 # Get the host's computer name.
 scutil --get ComputerName
 /usr/libexec/PlistBuddy -c "Print :System:System:ComputerName" \
-  /Library/Preferences/SystemConfiguration/preferences.plist
+  '/Library/Preferences/SystemConfiguration/preferences.plist'
+
 
 # Get environment variables from inside launchd.
 launchctl getenv 'key'
@@ -127,6 +130,10 @@ launchctl start 'job_label'
 
 # Stop jobs.
 launchctl stop 'job_label'
+
+
+# Enable file trimming on SSD.
+sudo trimforce enable
 ```
 
 ## Hidden settings
diff --git a/knowledge base/securely delete files.md b/knowledge base/securely delete files.md
new file mode 100644
index 0000000..2b557be
--- /dev/null
+++ b/knowledge base/securely delete files.md	
@@ -0,0 +1,42 @@
+# Securely delete files
+
+1. [TL;DR](#tldr)
+1. [Further readings](#further-readings)
+1. [Sources](#sources)
+
+## TL;DR
+
+FIXME: add disk encryption considerations.
+
+On systems with GNU userland:
+
+1. Pass files with [`shred`][gnu shred].
+
+On Mac OS X:
+
+1. Enable trim enforcement if it is using a SSD:
+
+   ```sh
+   sudo trimforce enable
+   ```
+
+## Further readings
+
+- [GNU `shred`][gnu shred]
+
+## Sources
+
+All the references in the [further readings] section, plus the following:
+
+- [Mac OS X]
+
+<!--
+  References
+  -->
+
+<!-- In-article sections -->
+[further readings]: #further-readings
+
+<!-- Knowledge base -->
+[gnu shred]: gnu%20userland/shred.md
+[mac os x]: mac%20os%20x/README.md