Slashdot Mirror
Symptoms of Mac OS X Hack?
goatbar asks: "Many of you have probably dealt with computer intrusion before, but this is the first time for me with Mac OS X. I've got a machine where the passwords have been altered. If this were Linux, I would drop in Knoppix, figure out which way I got hacked, backup the system, reinstall, secure it and be back up in a couple hours. However, with OSX what can I do? Does anyone have strategies for regaining access to the machine and doing a post-mortem? I'm going to bring up the system drive on a laptop, but then what? I can back it up, but other than the system logs, where to look beyond the usual '.BitchX' and '...' directories. How do I easily tell what other annoying little things have been installed?"
When did it happen, do you know? If so then you can search the drives for files that were created/modified on or after that date. That should allow you to restrict the number of things that you need to look anywhere from some to significantly.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Boot off the install cd/dvd, and you can change your root password to anything you wish.
After that its just a matter of recreating accounts and adjusting permissions. You can do that pretty easily in the Finder by getting info on a folder and changing permissions for all the contents of that folder and it's sub-folders in one click.
Vonal Declosion
you bought a proprietary software system on a proprietary hardware platform.
Dust off your SLA and call Apple.
Don't have a SLA? Dang, you're FUBARed.
"Piter, too, is dead."
Until today I still have to figure out how to create accounts without using the GUI.
Reset password via the InstallCD and boot it into normal singleuser. Can't remember the key-combo now, but it should be something like Apple+s.
- Baffle
I've never dealt with a hacked Mac (cuddles powerbook and shivers in fear). However, some standard procedures would apply:
(1) Isolate it from the network. Unplug ethernet, turn off any wireless access points (if Airport was set up on it).
(2) Boot off a known good media. This means the OSX recovery CD (or DVD with newer models). I've never done it, but presumably you should be able to mount your Mac's hard drive, get to a terminal window and be able to poke around and repair the damage as with any other system.
(3) If you don't want to repair (which can be risky if you don't know what's infected), copy off all files & data that you want to keep (avoid copying anything that's executable because that could be infected / trojaned) - then manually erase as much of everything that you can, ideally wiping the hard drive and low-level formatting it. Then boot off the recovery media / OS X install disks - and do a full re-image of the machine.. disable remote access, turn on the firewall in system settings -> sharing -> firewall, patch the OS.. reinstall all applications then restore the data that you backed up. And this time use strong passwords.
Step 3 really is the only way to be sure that the system is no longer infected.
As others have mentioned, you can use the System install disk to change your root password (which may be what was done to you). At the first splash screen, look in the menu bar to select the pasword reset utility.
Also, if you'd like to look around, you can boot into single user mode using command-s when booting. once you see the command prompt, just go nuts.
Another option is to boot off of another drive with the OS on it. Target disk mode is very handy for this. you can do it with 2 desktops, or one laptop and one desktop. An external drive is possible. Also, you can find ways to make a bootable OS X CD to work from w/o working from the original drive if you can get to another Mac to build the CD on.
I am, and always will be, an idiot. Karma: Coma (mostly effected by
One place you can look to see what was installed on your computer...go to /Library/Receipts. This has a small .pkg file that is left behind every time something is installed through a package on the computer (which anything but a basic application will have). This should give you an idea of everything that has been installed on the computer since the OS was installed. Also, to reset your main password, put in the original OS install disc that came with the computer. Under File, you can select an option to reset passwords.
Gentoo offers a Linux live cd you can boot from, if there isn't a Knoppix live cd for PPC
really, how else are you going to be sure?
you can't trust timestamps(as some have suggested), you certainly can't trust any receipt/installation logs of macosx itself either, you can't trust binaries, you can't trust ANYTHING(except dummy data files with no data that ever gets executed, through other exploits or whatever).
and REALLY, how do you _really_ figure out what binaries were compromised on a linux system you could rescue with knoppix? all you can do is to hope that they didn't install anything except bitchx with some scripts to zombie you..
world was created 5 seconds before this post as it is.
after getting access as described here is how I deal with my machines
/Users/shared folder and move it into a your user folder.
/Users/Shared folder you renamed in step 1. (this is needed because the shared folder is not quite hndeled right by archiva and install)
/Library folder. There are very few apps that actually need anything stored in libraries folder and most of these are in application suport and prefs sub dirs. nearly all prefs can be wiped. as a pre-screen you can search for anything in this folder that is an executable or a .app using "find". these are highly suspect, but not neccessarily evil.
/sw for fink.
/bin /etc /usr. some non-apple freindly unix packages do, but you would probably know this. if you only used fink or only installed in the users's space then you are fine. if you installed in to places like /usr or /opt then you are on your own.
0) first rename the
1) do a full install of the system using the archive and install mode. this gives you a blank system with the default apps. But with all your old system stored in a folder.
2) re create all your users if any are missing and copy back their files. and move back the
3) drag and drop the contents of the old-applications folder on the new applications folder. When it asks you if you want to overwite check NO. this will give you clean copies of the apple apps and give you your old other appls back.
do the same with the Utilities folder.
4) now very selectively do the same with the
5) copy back any other root level folders that you personally created previously such as
6) go back and double check that all those applications and utilities that were not apple apps and utilites are okay. This is not simple but at least check some creation dates.
that should pretty much do it. what you will miss are any boot time services, host files, tcp permissions, cron jobs or firewall settings you hand tweaked, you installed as those config files are now wiped. It's possible your keychain will get corrupted but not neccessaility. and if you created any new users inthis process and their explict UID and GROUPID numbers are important you can edit these using the netinfo utility. Normal installations of packages and applications on apples do not tinker with
Some drink at the fountain of knowledge. Others just gargle.
that might help for general OS X security: http://www.securemac.com/
Other than that, starting off the install CD and resetting the password, as others mentioned before.
You can follow the same procedure you use for your linux recovery -- put in the install cd or darwin cd, boot to a shell, mount up the disk read only and perform your backup, analysis, and then recover by whatever means you want.
To boot to a shell using the install cd you have to go into open firmware and set OF to pass the -s option to the mach kernel. The darwin CD will give you the option to jump to a shell right off the bat.
You can reset the passwords if you boot off the OS install CD
- Zav - Imagine a Beowulf cluster of insensitive clods...
It might not help, but who knows what was run - you might see some clues there. Look in both Library/Logs/ and ~/Library/Logs/. Make sure you check the one for the user in question in the former since some user specific info is store there.
Security exploits, Mac Spyware and hacks like these, IMHO, will contune to increase as OS X becomes more popular.
But, this has already been predicted.
I think I think, therefore I think I am.
probably the easiest way (no cd required) is to boot into single user mode (holding apple+s during boot)
/
/var/db/.AppleSetupDone
you will be dropped into command prompt.
Mount disks
mount
then remove this file
rm
note the '.' as it's a hidden file..
then just reboot
(reboot)
and you will walked through the first time Setup and Config dialogs just like it was a new machine.
This will allow you to create a new admin account and change the other users' passwords. (make sure not to create a user with the same shortname as another user)
note this is a good way to 0wn any Mac you can get physical access to..
You can only modify /Applications if you're an admin user. Standard users don't have write privileges in /Applications. Though OSX doesn't do it by default it ought to make all new users Standard users. Panther will ask if to authenticate if you do try to drag something into /Applications.
I'm a loner Dottie, a Rebel.
I now have quite an evil grin on my face. I can't wait to try this out because I know it'll work. Why didn't I think of this?
http://www.sysresccd.org/
They have a PPC edition.
Right, this is in Jaguar, and something she got off P2P easily could have mucked around inside /Applications/Internet Explorer.app/ without asking to authenticate. Because she's an admin. Fortunately it didn't try.
There are no trails. There are no trees out here.
This isn't necessarily a way to fix your system, but it's some points to check to see what's there.
/Sys/Lib/Extensions /Sys/Lib/StartupItems /Sys/Lib/Frameworks/ /Sys/Lib/PrivateFrameworks /Library
/etc/hostconfig, /etc/rc* . I poke with those files a lot so I have some familiarity with what they're supposed to be like.
/var/log/ can be useful stuff too, if you know the timeframe of when stuff happened (hackers aren't likely to clean up system logs that might have traced some actions unknowingly - by default, sudo commands are logged). Similarly, getting used to how dmesg is supposed to look and what ps -auxww is supposed to provide is important.
/Library's contents (anywhere in it) can affect your system a lot, but most (all?) of those items aren't essential, you should be able to freely remove whatever you want.
:P
/Users) and move things over that you think you need.
You'd want to check these directories for anything you don't recognize are doesn't seem like they belong,
- same goes for
Now keep in mind that existing items can be modified, not just added. It's good to familiarize yourself with a base install. For anything that you don't recognize, check your Receipts directories to see if they were installed with some credibility.
You'd also want to check
You'd also like to examine dot-files and stuff. To make it short, there's a lot of places that shit can go in, but script kiddies aren't that smart and actions may be obvious.
Keep in mind that
To check your system without using it, you can always boot off of a OS 9 volume if your system supports that (it can fit on a CompactFlash card... with my old PowerBook I can at least boot from the PCMCIA slot). I also have 10.1 on another volume that's good for prodding my Panther system with.
NetInfo is a bit of a pickle to familiarize yourself with. Or at least, I haven't familiarized myself with most of the stuff in there yet
Anyway, none of this is a guaranteed way to find or fix problems, but it can reveal what's happened. If your system's been comprimised, your only recourse is to wipe it out. Don't even use your old User accounts, as dotfiles and ~/Library may have comprimised stuff. Keep it around with unknown:unknown ownership (and not in
Moderators should have to take a reading comprehension test.
Letting your GF run Explorer? Chivalry is dead, indeed.
I've heard from some inside sources that Apple are looking to adopt something very similar to Solaris BSM auditing for OSX.
This doesn't help you much at the moment, but maybe sometime down the track, this may help you diagnose what was changed on your system.. (Subject, of course, to your logs being pushed off the compromised system as soon as they're generated, and maybe the attacker not noticing the auditing capability).
Red.
If you think you were hacked than assume you were hacked. Boot up the machine in Firewire target mode, mount the drive on another mac, and copy over your Users folder.
Re-boot your machine and install from scratch and then re-install you applications. You can then copy the Users folder back over and create your users. OS X should set the permissions correctly on the folders in Users if you use the same usernames (IIRC). It's the only way to be sure...
What, me worry?
In any case, you can always compare the files you have with files you should have. This involves having a backup of files, and doing the compare with a known good media (such as a recovery CD).
I have absolutely no idea about Mac OS X, but at least on other Unix platforms you can cheat if you don't want a full backup: make secure hashes (such as MD5 or SHA-1) of all your files. Burn them on a CD (so they can't be tampered with) and you can compare your files later if you want. This won't prove anything about new files ofcourse, or files updated, or otherwise modified, but it does help somewhat. And before somebody points it out, there is a theoretical chance that two hashes match even if the files are different. This is why you want secure hashes. For better confidence, use two different hashes.
Just note that you need to compare EVERYTHING and then manually check/replace EVERYTHING that doesn't match. This includes things like the system kernel. Like said already, a single trojaned file is enough to compromise the whole system.
For pointers how to do it, see 'find', 'md5sum', and 'diff'. Shouldn't be too hard though..
Oh, and after restoring the system one should make sure all known vulnerabilities are patched, and all unnecessary services closed. But this ofcourse should be the case anyway, just like everyone should have backups (or hashes or both) anyway.
Just my .02 euros.
Software should be free as in speech, but if we also get some free beer, all the better.
At this point, you should recover all of your user data to an outside volume, either on the known good Mac or on a CD-R or network volume. If you want to do forensics on the compromised Mac, create a disk image from the compromised Mac's hard drive (warning - this may take up a lot of space). This will preserve everything from that machine in a way that can easily be mounted and studied. Put the compromised Mac away as evidence and do your examination from the disk image.
Log files are your friends. However, a good rootkit will include ways of deleting telltale info from log files. Another problem is that the prebinding process will alter binaries in different ways depending on the machine and the amount of RAM. The right way to do a comparison between the compromised machine and a known good machine is to use an identical machine (same model, same amount of RAM) and bring the system up to the same set of updates. Then you can useto create CRC32 checksums of the
To get the compromised Mac up and running again, you can't count on fixing everything in place. It's too easy to miss something that's been trojaned. You need to do an erase and install on the compromised Mac, re-install all of your applications, re-create the user accounts, then copy back the data that you backed up earlier. Be careful if some users have installed apps inside their home dirs that you re-install those fresh, as they may have been attacked as well. Also be sure to run a virus scanner on user files before restoring them to catch things like Word macro viruses.
Be careful of the users' login keychains, as the data in those may not be recoverable if the passwords were changed by someone who logged in as the users themselves. If the passwords were changed via an outside reset mechanism, such as an admin user or an install CD, then the old keychain passwords should still work.
Joel Rennich has a good account of studying a compromised Mac OS X machine a while back on his website, afp548.com. It's based on a little bit older version of the OS, but still good advice.
--Paul
I forget the exact keystroke (they have it listed at apple.com) but you can bring any recent Mac up as a FireWire hard drive andd access the drive from any Mac that can take a FireWire drive. Not sure if the dominant partner can be Linux but it can certainly be OS X and probably OS 9.
And you have to boot off a known good CD, or else you can't know that you're actually reading those hashes. But yeah.
There are no trails. There are no trees out here.
- separate datas, users accounts, my non Apple applications from system with 2 different partitions
- cleanly install the system and updates (stored on a separate drive) with no internet connection
- setup a temporary admin account during the install
- run a script (niutil, cp...) to recreate my environment (finally it's not that hard, just remember that users and groups are in netinfo and shadow passwords are stored in
/var/db/shadow/hash with the generateduids of the users) and drop the temporary account
- launch a complete replication of the system disk on an external (Emergency) drive (I currently use Mr. Bombich carbon copy cloner, but there are other solutions) which is useful to redo the first steps really fast (I mean 20 minutes from a drive, 30 minutes from my iPod which is becoming my "Emergency" drive). You can you the "rm local.nidb" trick to cleanly recreate the admin account
- go live.
This takes 2-4 hours with install from CDs, 1h from emergency drive.By the way, I also like to
- avoid the uid 501 admin
- replace the standard firewall (ipfw configured with ruleset from the SysPrefs) with a ruleset of my own (using the fantastic statefull feature, stealthing if necessary, explicitly closing ports I don't use to and from the computer, avoiding apps like MsOffice or Stuffit to call home) launched as a StartupItem
- check the basic security with nmap from the outside
- setup OpenFirmwarePassword and FileVault (sorry guys, physical access is not enough)
- check passwords are solid, currently with lcrack on shadow passwords
- make automatic backups of vital datas (thanks rsync) on external drive (and in my case my laptop which is then "in sync")
Of course, the second part is purely paranoid (except backups) as I'm not at all an interesting target (except if you want to read my code, discover my preferred films;-) but as I also do that for small companies I like (and occasionally work for), I feel a little bit more responsible and try it on my personal computer before deploying it for others.I also do that to learn a bit more what can be done as I'm not a sysadmin at all and not pretend at all being as pro as most of them.
ClaudeBBG
You guys keep talking about restoring old user accounts. Accounts? It's a Mac, would you let other people touch your Mac? Didn't think so. This thing should only have 2 user accounts, Root (which you dont use much) and 1 User
I realize you may only have one Mac to work with, but if you have two, you may want to try out Firewire target disk mode. It allows you to connect one Mac to another and use the first as an external disk. This is much more flexible than booting from the install CD.
Has anyone tried connecting a Mac in target disk mode to a PC with a Firewire card? Was the PC able to mount the Mac as an external disk? If you don't have another Mac, that may also work assuming the PC knows what to do with HFS filesystem.
...and not just on the receiving end, either. *malicious grin*
/System/Library/StartupItems is a favorite of mine, but /etc/rc* works too. But the question isn't about how to root a machine, but how to detect it. So here are a few of my suggestions:
.ssh, .*rc, .*history (don't assume they'll be in /Users) /var/log, especially wtmp, utmp, and lastlog. Lastlog, in particular, is often forgotten. /System and /Library against a known-good machine. Files in here don't usually change too much; it's the executables (/bin, /Applications) that get prebound, mostly.
OS X is relatively easy to "r00t", by various means. Until recently, nidump passwd was a SERIOUS problem - weak passwords could be broken within <48 hours with john on a fast machine. OS X also provides quite a few ways to patch your own code into a machine once you've rooted it, too -
* Mount the disk via Firewire Target mode, as suggested. Easiest way to get to a disk without running its code. (Yes, single-user mode will still execute some scripts on startup!)
* nidump passwd . - See if they've set passwords on any of the system accounts. Yes, they might be logging in as sshd or something equally silly.
* Files and directories to look for:
* Check
* Diff
Props.
I call Bullshit. There is no such thing as MacOS X spyware. What happened is that a .plist or pref got fucked up and you couldn't alter the prefs. This has been documented in various places, like:
http://daringfireball.net/2004/05/internet_helper
.plists copied directly from the newuser template. If it works in a new user and not in your old user, you have a prefs or .plist problem. This is what you discovered, not spyware. Don't cry wolf every time you have a problem you can't figure out. Horror stories about viruses and spyware are for Windoze lusers. Think Different.
http://daringfireball.net/2004/05/energy_saver
The easiest way to detect bad prefs is to create a new user and test the software in a new userspace. The new user will have fresh prefs and
CheckMate is a checksum comparison program... main problem would be that you need a good initial baseline.
What happened is that a .plist or pref got fucked up and you couldn't alter the prefs.
.plist problem. This is what you discovered, not spyware.
.plist modification. I certainly haven't heard anyone else echo my story, and I did a bit of googling, but that's what it looked like to me.
Yes, probably. The notable thing wasn't just that I couldn't change her homepage, but that it was set to some overture style search-shop-portal and I couldn't change it.
The popups, though, were what made me think she actually had some rogue process. But I've been wrong before. Whatever.
If it works in a new user and not in your old user, you have a prefs or
Well, it could have been spyware that was dependent on a prefs or
Think Different.
You're a dick.
There are no trails. There are no trees out here.
To be fair, they could have installed something into one of the user directories and that would stay with the user too. Using that I doubt they could create a situation anything like what this guy is claiming, but hey, it's theoretically possible to do all kinds of stuff since she's an Admin on her system and doesn't know what that means (which is why she shouldn't be an Admin).
.plist, and since we're talking about IE, it crashes very, very often (see rule 1). Perhaps the lesson learned is don't use IE. Yes, I agree, that's a good lesson to learn.
However, that's neither here nor there since IE on every platform is popup crazy (Hence rule 1 - Don't Use IE), and plists can get corrupted any time an application crashes while it's writing to the
You still don't get it, braniac. No, it wasn't "spyware that was dependent on a prefs or .plist problem," because there WAS NO spyware. There is no such thing as spyware on the Mac. Nobody has ever found a single instance of browser spyware on a MacOS X system. Pull your head out of Bill Gates' ass and recognize that MacOS X has a different security model than Windows, and does not have the problems you are used to on your PeeCee.
The problem you encountered is fairly common on MacOS X, plists and prefs get corrupted often enough. You just delete the defective plist or pref and it will be recreated the next time you run the app. There are even terminal scripts that will check plists for well-formed XML, so it is easier to locate busted plists. You could either create a new user with fresh, virgin prefs & plists, or you could do it the right way, locate the damaged file, delete it, and it will be recreated when it's needed.
Wow, Elwood was right. You are a dick. You're a mac zealot über nerd, and you aren't even right.
Spyware on the mac doesn't exist in the same way that it does on PCs (and really what's being described is more adware than spyware, but whatever). There are unscrupulous programs out there, and they do transmit information about you that you might not want sent. For the quick and dirty method, try running Little Snitch sometime and keep an eye on connections. Most of the time it's just the software developer trying to make sure your serial is valid, but I've run across a couple of programs that initiate direct connections to web advertising firms - and if that's not spyware I don't know what is.
If you get nervous, just remember that there are a few billion other people who don't really give a damn.
System profiler will show you installed kernel extensions etc. as well as a full list of applications. It does not show you command line executables however, just packages.
.ai, .doc, etc. one at a time, look through for anything supicious, then filter them all out again to see what's left. Start looking.
Do a search on created and modified dates including hidden files. This should show you any new stuff. Filter on known extensions..
A fool throws a stone into a well and a thousand sages can not remove it.
1)
:)
Download BootCD which is an app to create a BootCD from a current working installation. This will give you at least a working Finder and BSD subsystem with which you can hack around with.
2)
If that isn't easy enough, the following will blow your boots off:
* The T key forces the PowerBook (FireWire) (and reportedly the Power Mac G4 (AGP Graphics), though I was unable to verify that on my machine) to start up in FireWire Target Disk Mode, which is essentially the modern equivalent of SCSI Disk Mode and enables a PowerBook (FireWire) to act as a FireWire-accessible hard disk for another Macintosh.
Too many options!
This is so typical of the polarization of today's society, if someone disagrees with you, they're totally wrong and a dick. Better check your mirror and see where the problem is here.
So in response to your pedantic definition of spyware, let's use the more appropriate term "malware," meaning the sort of gadgets that are so well known on Windoze web browsers, stuff that infests your machine through insecure Windoze mechanisms like ActiveX, and once installed, does stupid stunts in your browser, like push porn popups, hijack ads, etc.
OK, so now that we have a new term, malware, let me explain it to you again.
THERE IS NO SUCH THING ON MACOS X.
This guy had a simple prefs problem and he leaps to the massively incorrect conclusion that he has some sort of malware that infected a MacOS X machine and got installed in some sort of virus-like method, screwing up his browser. But it didn't happen that way becuause THERE IS NO SUCH THING ON MACOS X.
Yes, I use Little Snitch, I've only found one app (BBEdit) that phones home to check serials, and that's not what the guy who started this thread is talking about. Yes, I know there's a new exploit for Safari and a couple of other browsers. A software update was released a couple of days ago, and another one was released tonight. Nobody's managed to exploit it with malware so far. Malware DOES NOT EXIST on MacOS X. Call me a dick all you want, but that will not change the facts. The guy had a prefs problem, he cried wolf, I called BS on him, and I'm right and he's wrong. So there.
This is so typical of the polarization of today's society, if someone disagrees with you, they're totally wrong and a dick.
I think it's more because you went from zero to confrontational with lightning speed. Polite disagreement looks quite a bit different than name-calling.
--saint
Osiris, an intrusion detection software package, will compile and run on OS X. Seems to work, but haven't had a real intrusion attempt yet to test it against (knock on wood).
At this point, it's clear he's just trolling. Saying "there is no such thing" is meaningless, and arguing that it's because MacOS is more secure is also meaningless.
He's making arguments with gaping holes because he wants further response. Trolly troll troll.
There are no trails. There are no trees out here.
Here is at a very minimum the steps required to perform forensics work on your system, I should also mention at this juncture that it is imperative to take detailed notes on what is happening both observations and actions.
The first thing is to connect another system either to the same hub or switch that you can capture packets from the compromised system. This will enable us to run a packet analyzer such as Ethereal to determine what network traffic is leaving the system. We need to do this incase of a program that is "phoning home" and when you take it off the network and subsequently it can't phone home it deletes itself or performs some other nefarious task.
When you are confident that no unusual network traffic is leaving the system we want to run a few commands that will not compromise the integrity of the system. Ideally not modify any file access times as well. What we are looking for are active processes, open files and if possible the contents of memory and the swap file. The output of these commands should be sent to a trusted remote system and the binaries themselves should come from a trusted source IE not the system you are working from. Make a CD with all of the commands that you intend to use (mount, lsof, top, ps, ssh for example). Before you run any commands on the system it is important that you have a game plan in place. Due to the nature of operating systems anything that you do at this stage can damage evidence that you may later need. But the list of open files can be critical in determining the extent of disruption to the system
After you have all the information that you can gather from the booted system the next step is to image the drive. Either via a drive duplicator (which you probably don't have) or using Disk Utility and imaging the drive. Boot the system into target disk mode holding the 'T' key at boot. You will know the system is in target disk mode when there is a blue screen with yellow FireWire icon. After it is in target disk mode connect it to another trusted Mac launch Disk Utility and image the drive (IMPORTANT: not the logical volume, the drive will have numbers in front of it) you want to make a READ ONLY disk image of the drive. It is important that for the remainder of the investigation you only work from the image of the drive.
When the drive has been imaged open the image on a known good system and inspect the log files. Ideally you will have other logs than the one on your system to examine. For example firewall logs of network connections to the compromised system. Look for file modification times that don't appear to be accurate
I apologize for the lack of detail in this post, I had to generalize many concepts into one brief memo. If time avails itself I will follow up with a more detailed post later. Good luck. And if you have any questions just ask.
When I learned unix, we didn't have "kmoppix". But, most unix-like systems have a single user mode. On Mac OS X, you press, I believe, option-apple-s on bootup. Of course, using the install cd works well too. Don't be a moron - treat unix like unix.
Yup. Good call.
Mac OS X is reasonably secure (to the best of my knowledge, I could easily be wrong) from a networking perspective, but only gives the illusion of security when tampered with from the hardware side. It's possible to bypass any startup login screen with merely an OS X CD, and what's worse, even without the CD you can still boot into darwin by holding down a key combination - I'm pretty sure you can turn both of these "features" off with a bit more technical expertise, but frankly, these security problems being left open by default worried me so much that I migrated away from putting OS X on any machines that are exposed to public use on our network, and I still won't do anything mission-critical on a Mac-based desktop system.
Meanwhile, most x86 PCs have BIOS passwords, a feature which I wish I knew how to enable on Macs - maybe it exists, maybe it doesn't, it sure wasn't forthcoming in the manual or any of the man pages I read.
I know my concerns for security do border on the paranoid, but my goal is to have my desktop systems so secure that compromising them necessitates stealing the hard drive. If that happens, I'll know there's been a compromise, and heck, I've rigged up a surprise of my own in store for the poor soul who attempts such a feat. I don't want someone to be able to walk up to a turned-off system, hold down a few keys, type a few commands, and have unrestricted access.
The "Start" menu in the lower left of the screen!
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
IHBT.
My Server is staying on 9.2.2 for good reasons and number one is I can sleep without worrying.. and its easier to maintain and has crashed only 2-3 times in 2 years. (application problems not system)
My Laptop is fine on OSX, but of course does not like networking very often...(G3 Lombard) sigh...
{ Pillar candles great for when the power fails and you cant see the keyboard..
lose the attitude, BRAINIAC. This isnt a flamewar on usenet.
noone appreciates it.
Microsoft DOS [version 1.0]
(C) copyright 1985 Microsoft Corp.
C:\>
Try these Apple knowledgebase articles:
1 06 482u m=120 095
http://docs.info.apple.com/article.html?artnum=
http://docs.info.apple.com/article.html?artn
Implementing Open Firmware password protection as described in these articles will effectively prevent someone from booting your Mac from a CD and resetting the password, among other forms of security...and, by the way, this solution comes right from Apple!
The only way to clear this form of security is to gain physical access to your Mac and change the amount of RAM installed (which forces the Mac to perform a long RAM test at next boot, erasing the OF PW). And, seriously, if someone can gain this kind of physical access to your Mac then you have much worse things to worry about than just a compromised login password!
"Many of you have probably dealt with computer intrusion before, but this is the first time for me with Mac OS X. I've got a machine where the passwords have been altered. If this were OpenBSD, I would... no wait, I wouldn't have to, would I?"
radmind - A suite of Unix command-line tools and a server designed to remotely administer the file systems of multiple Unix machines. For Mac OS X, there's also a graphical interface.
At its core, radmind operates as a tripwire. It is able to detect changes to any managed filesystem object, e.g. files, directories, links, etc. However, radmind goes further than just integrity checking: once a change is detected, radmind can optionally reverse the change.
Each managed machine may have its own loadset composed of multiple, layered overloads. This allows, for example, the operating system to be described separately from applications.
Loadsets are stored on a remote server. By updating a loadset on the server, changes can be pushed to managed machines. radmind is available under a BSD-style license.
Go Blue!
dick, mostly.