Slashdot Mirror
Mac OS X Maximum Security
It really didn't concern me until one day when I was checking the logs on my Mac OS X box while developing a web app and discovered dozens of entries from all over the globe probing my box to see if it was an insecure IIS server. I then decided I needed to pay attention to security alerts and the help of a book like Macintosh OS X Maximum Security to help me understand and fix any holes.
The Good
The book is divided into four sections. Part 1 is about learning to think about security, covering such topics as physical security and protection from your users and bad guys. Part II, 'Vulnerabilities and Exposures,' covers the various sorts of attack such as password attacks, trojans and worms, sniffers and spoofing. Part III, 'Specific Mac OS X Resources and How To Secure Them,' covers just that, the various servers such as FTP, mail, Apache and SSH and how to go about making them safe. The final part covers attack prevention, detection, reaction and recovery with topics such as firewalls, alarm systems, logs and disaster planning.
Macintosh OS X Maximum Security is a large, extremely comprehensive volume. For the average person who wants to protect a small home network the information it provides is probably overkill. To make matters worse, the style is fairly verbose, particularly in the first section. Of course, if you want to secure a company network then you may need to know all the information -- and so all this background material is useful, if only so you can reach the right level of paranoia and suspicion.
The book is not a 'recipe' book that tells you "take these steps and you will have a secure machine"; rather it takes you through the possible holes and how to fix them. This approach seems much better for security, since it teaches you a respect for the places you have to open up and a methodical approach to doing so that will hopefully carry over beyond the specifics addressed. Any recipe is bound to have flaws since the operating system and the services are all changing, I'm hoping the methods and style this book have imparted to me will last beyond any changes.
The book also deals well with all the Macintosh-specific stuff, informing you well about such topics as Rendezvous, Apple Remote Desktop, using NetInfo and the like. One aspect that isn't well covered is Airport; securing an 802.11 network is barely touched on.
The Bad
The information provided in all areas of the book is quite detailed, and includes many links to further places to look for more (and more recent) information. Once again, for a book in an ever-changing field like security, this is a huge benefit. I would have appreciated some sort of a small website devoted to the book with the links mentioned gathered together and perhaps some notes on how things may have changed since the book's publication. Unfortunately the Sams Publishing site has a broken link to the book and while the authors say "we are creating a security section for the www.macosxunleashed.com website," no such section exists as I was writing this review. Frankly I am disappointed at this, I think with a book on this sort of topic it behooves either the publisher or author to provide a place for errata, discussion and notes. The best you can do is go to Amazon where you can see the Table of Contents and one chapter. [Ed. Note: The site's errata section is currently up and running.]
My only real complaint with the book itself is the huge size, and the long-winded nature of some of the material. I found the first two sections in particular almost tedious and definitely lecturing in tone. I would have rated this book higher if the editors at Sams had taken a large red pencil to slabs of the first section. Overall, I'd say that while not a 'must buy,' this book will have to do till I find something better, and I expect to loan my copy to several friends.
You can purchase Mac OS X Maximum Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
First off your right the windowing enviroment is not KDE or GNOME, its designed with a OS 9 and prior user in mind. BUT it doesnt preclude the use of X apps since you can infact run X apps no problem with X11 which is a free download FROM APPLE!!!! Panther will actually have this built in BTW.
Second unless you have been living under a rock Darwin has a huge thriving open community and has full access to a lot of the OS from Apple.
Third Mach is neXt NOT Apple, yes owned by Steve, but the true story on how they came to use is is actually a really interesting read and has more to do with the man who created OS X than it does anything Apple told the team to do (Apple had their own kernal that was trashed by the guy)
And everything in netinfo is able to be done in terminal so dont open your mouth unless you know what the hell your talking about.
And of course they locked users in.... THEY ARE A HARDWARE COMPANY NOT A SOFTWARE COMPANY!!!! I hate when people miss the fact that Apple supports its self on hardware, NOT software. Why the hell do you think they killed off the clones, they where losing money big time to the point of going under.
"Slashdot, where telling the truth is overrated but lying is insightful."
everything is turned off by default.
apple has been very responsive to sec alerts and networking passwords are encrypted.
you can also ftp over ssh. (sftp) type stuff if you need to move a files over... there is also apple remote desktop and timbuktu to let you control the machine in all its aqua glory..
i do believe (for what its worth as I am comparing this to win and top tier linuxes) its the most secure out of the box..
insert blah blah no system is totally secure statement here
of course this is true, but out of the box and over the past 2 years OSX has been and is a reamrkable product...
> they don't even use X at all!
What Apple is providing is an Apple-original window system that is graphics model agnostic, as well as a vector drawing system that maps very well to PDF, which is a sort of PostScript without the non-graphical operators. This is packaged under the name 'Quartz' for easy reference by Marketing types.
The window system is designed to support both buffered (like an offscreen PixMap) and unbuffered windows, and is graphics model agnostic, working equally well with QuickDraw, OpenGL, the Quartz drawing engine, X11, and third party solutions, and managing window geometry for the Classic, Carbon, and Cocoa environments. The server portion is a hybridization of screen arbiter and compositor models (and if that's all Geek to you, don't worry about it).
The Quartz drawing engine supports drawing primitives similar to the graphics primitives that might be found in the DPSClient single-operator primitives library for X and NeXTSTEP. There are no math and flow control primitives, as these can be done more efficiently in the native
compiled code. There are no DPS or PS wrappers, as this optimization for server-side graphics is not needed in the Quartz client-side graphics model.
The operations provide imaging and path construction and filling operations as well as some interesting other bits that map well into the direction that 2D drawing is headed. (See Longhorn, or the X raster projects.) The drawing engine can output to rasters (like a window!), as well as PS and PDF streams to feed printers. The Mac OS X printing system takes advantage of the capabilities of Quartz to support all sorts of printers, and make the life of printer driver developers much, much easier.
Things we'd need to add/extend in X Window software (protocol+server+manager+fonts+...):
1) Extend font server and services to vend outlines and antialiased masks, support more font types, handle font subsetting.
2) Extend drawing primitives to include PS-like path operations.
3) Add dithering and phase controls.
4) Add ColorSync support for drawing and imaging operations, display calibration
5) Add broad alpha channel support and Porter-Duff compositing, both for drawing in a window and for interactions between windows.
6) Add support for general affine transforms of windows
7) Add support for mesh-warps of windows
8) Make sure that OpenGL and special video playback hardware support is integrated, and behaves well with all above changes.
9) We find that we typically stream 200 Mb/sec of commands and textures for interactive OpenGL use, so transport efficiency could be an issue.
So, yes, it looks like we can use X for Quartz. All we need do is define extensions for and upgrade the font server, add dithering with phase controls to the X marking engine, add a transparency model to X imaging with Porter-Duff compositing support, make sure GLX gets in, upgrade the window buffering to include transparency, mesh warps, and really good resampling, and maybe augment the transport layer a bit.
Ummm... There doesn't appear to be much code left from the original X server in the drawing path or windowing machinery, and it doesn't appear that apps relying on these extensions can work with any other X server. Just what did we gain from this?
Oh, yeah. My mom can run an xterm session on her desktop now without downloading the Apple X11 package, a shareware X server or buying a software package.
Been there, evaluated that.
Apple has a Security Technology Brief which is a somewhat simplified but comprehensive overview of the hardware and software security features of Macs and Mac OS X.
a /w ww.apple.com/macosx/pdfs/Security_TB.pdf
http://a368.g.akamai.net/7/368/51/edcf434107944
For fun a decided to compare open ports on default but updated installs of OSX and XP.
Windows XP Box Port Scan
Max OSX Port Scan
Gentoo Port Scan
It's cheaper at Amazon.com and there's free shipping, too. Posting AC to avoid karma whoring.
I've been thinking of picking up this book, specifically because it is geared towards Mac OS X, although i am not overall very fond of the maximum security series.
Anyone else looking for some good OS X secuity books shoudl chech out the latest edition of Practical Unix and Internet Security published by O'Reilly. I have the second edition, and its a great book, and the third edition specifically mentions OS X and solaris, in addition to the standard *BSD unix and Linux information.
Look out honey cause I'm usin' technology
Ain't got time to make no apologies
[shadyserver: ~] shady% apropos netinfo
n ge" line of thought, NetInfo is a very powerful tool.
netinfo(3) - library routines for NetInfo calls
netinfod(8) - NetInfo daemon
nibindd(8) - NetInfo binder
nicl(1) - NetInfo command line utility
nidomain(8) - NetInfo domain utility
nidump(8) - extract text or flat-file-format data from NetInfo
nifind(1) - find a directory in the NetInfo hierarchy
nigrep(1) - search for a regular expression in the NetInfo hierarchy
niload(8) - load text or flat-file-format data into NetInfo
nireport(1) - print tables from the NetInfo hierarchy
niutil(1) - NetInfo utility
NetInfo is not really analogous to the windows registry. if you want to compare it to something in the windows world, a better comparison would be active directory.
NetInfo is basically a directory services manager, and is used for managing users, groups, machines, etc etc. It had read/write ability with LDAP v3, and read only ability for LDAP v2. It can also read its configuration from the standard bsd flat files, using the niload utility. You can even dump your netinfo configuration for printers, users, hosts and such to a standard bsd flat file using the nidump util.
But the best part of NetInfo is that it can integrate almsot seamlessly with an active directory domain, and get all its users and policy from your windows active directory server. once you get beyond the "its proprietary/i-dont-understand-it/im-scared-of-cha
For more refence, the great book "Mac OS X for Unix Geeks" has a whole chapter devoted to netinfo, what it is, and how it works. The Mac Dev center also recently published two articles on netinfo, and integrating it with Active Directory. Part 1 and Part 2
Look out honey cause I'm usin' technology
Ain't got time to make no apologies
There was an AppleScript worm. I suppose you could call it 'the applescript worm'. Of course, it required a Microsoft mailer to propogate.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Russell
Sure, this guy is a troll. But these are legitimate criticisms, with at least a grain of truth to them anyway.
A grain of truth perhaps, but no more.
Firstly, quartz is a low level graphic driver, it creates no more problems for running X than NVidea's closed source X driver for Linux, and even sits in the same place between the user and the OS, nor does it create any more moral dilemmas.
As for the binary format, Mach-O is not a proprietary binary format that is exclusive to Apple, but to the old variant of Mach that NeXT chose to base NeXTSTEP on. It was not deliberately made to break BSD compatibility, as the BSD Unix variant that was used in conjunction with the Mach microkernel as the basis of NeXTSTEP certainly did not support ELF binaries.
It's ridiculous to claim that "Apple has moved most configuration info into a proprietary database called netinfo" For starters, Netinfo is not a configuration repository like the Windows registry, but a distributed database which allows centralised management of the resources contained in it. In addition the entire source code to netinfo is available from Apple.
Most configuration files - such as those for applications, are contained in XML configuration files, something which other operating systems would do well to learn from.
Nothing is perfect, but I'd prefer people criticizing OS X and Apple to be able to cite facts rather than FUD.
Why is the terminal not able to send PgUp and PgDn? why can dock items not have static labels? why are we not able to control the appearance of the OS beyond skins? why does the OS not support DPI scaling throughout despite being fully based on scalable graphics? why does it still crash if unceremoniously disconnected from SMB shares? Why not license the OpenStep environment for other platforms?
The only legitimate concern raised by the author of the original parent comment in my opinion is that so much of the OS is still closed source, and I'm loathe to complain about that fact because Apple still lead all other commercial Unix vendors in the openness of their base OS.
http://uptime.netcraft.com/up/graph?site=www.army. mil ...is just one of many large SECURE classic MacOS distributed servers.
:
Except for the fact that it's not
The site www.army.mil is running 4D_WebSTAR_S/5.3.0 (MacOS X) on MacOSX.
Don't become a regular here -- you will become retarded.