Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing Mac OS X

Posted by pudge on from the unplugging dept.

LogError writes "This paper addresses operating system hardening in terms of patching, administration roles, and setting passwords. It also provides information on Mac OS X network security: namely, basic firewall configuration and hardening of network services such as FTP, SSH, and Apache."

63 comments

  1. Good to see... by Exitthree · · Score: 4, Insightful

    While OS X is quite secure by default, it is good to recognize that OS X, like any OS, isn't without vulnerability. The fact that the OS is getting a thorough look-over for security concerns is just one more step in getting it taken seriously. I'm going to have a full of the paper now.

    1. Re:Good to see... by McAddress · · Score: 5, Funny

      bah, everybody knows that OS X is full of holes. users needing security should switch to windows.

    2. Re:Good to see... by commodoresloat · · Score: 2, Funny
      I'm going to have a full of the paper now.

      But not, in standard slashdot fashion, before posting a comment here.

  2. Yay! by Anonymous Coward · · Score: 0

    just in time for the machines I'm about to install.

  3. They score some points with me on a first skim... by mellon · · Score: 4, Interesting

    ...because they mention antivirus software and do not claim that it will be of any value other than possibly satisfying corporate IS requirements.

  4. Direct link to the PDF.... by Currawong · · Score: 4, Informative

    ....is here. This for those of you who read the comments before reading the article ;)

    --

    What is the point of the internet?
    1. Re:Direct link to the PDF.... by Juanvaldes · · Score: 1

      thanks. ;-)

  5. Securing Mac OS X by Anonymous Coward · · Score: 3, Interesting

    Step 1: Turn on the Mac.
    Step 2: There is no step 2!

    Scoff if you want to, but I've never had to spend a couple hours trying to pry any malware out of my Macs-- but most of my billable time lately has been spent doing just that on clients' Windows boxes.

    When Norton Antivirus, Spybot S&D, Ad-Aware and CoolWebShredder together aren't enough to delouse the average PC and keep it clean, IMHO it's just time to give up on Windows.

    1. Re:Securing Mac OS X by dnahelix · · Score: 3, Informative

      My poor neighbors just got a PC (booo) with XP and, upon my suggestion, got Comcast broadband.

      Less than 48 hours after being hooked to the internet, they're calling me over because some anti-virus app had detected spy ware and some other thing and was going to need a couple of hours to scan the hard drive.
      Needless to say, these newbies were panicing big time.
      They asked how I dealt with viruses and the like and I said, "Remember, I said I use Macs." The wife says, "ooooh, you don't get viruses on your macs?" Then looks at her husband and says "Why didn't we get a Mac?"
      The next day they had some PC tech company people there to fix it! (and the bastards parked in MY driveway)

      --
      Slashdot Eds Link Anonymous Posts With Logged Posts
      They Are Vermin Feeding On Each Other's Feces.
      I Hate \.
    2. Re:Securing Mac OS X by lavaface · · Score: 2, Funny

      I believe you're missing
      6. ???
      7. Profit!!!

      --
      harmonious design
    3. Re:Securing Mac OS X by C-Diddy · · Score: 1, Funny
      1. Put on oversized trench-coat

      2. walk into the apple store

      3. Insert Mac OS X into trench-coat

      4. Walk calmly to your car

      5. Drive home

      Otherwise known as the "Sandy Berger" technique.

      --
      "Me fail English? That's unpossible." - Ralph
    4. Re:Securing Mac OS X by slughead · · Score: 2, Funny

      1. Put on oversized trench-coat
      2. walk into the apple store
      3. Insert Mac OS X into trench-coat
      4. Walk calmly to your car
      5. Drive home

      Otherwise known as the "Sandy Berger" technique.

      Actually you'd have to change 'trench-coat' to 'underpants'

      Why was the parent marked troll? I thought it was funny.
      Obviously some thin-skinned democrats running around :)

      --
      Latewire
    5. Re:Securing Mac OS X by Anonymous Coward · · Score: 0

      48 hours? That is impressive. I've read articles saying PCs may be badly infected in minutes (less than 10).

    6. Re:Securing Mac OS X by JivanMukti · · Score: 3, Funny

      Sandy Burger, it that you?!

    7. Re:Securing Mac OS X by C-Diddy · · Score: 1

      I thought it was funny as well. Obviously someone got pushed onto the playgound as a child.

      --
      "Me fail English? That's unpossible." - Ralph
    8. Re:Securing Mac OS X by sqrt(2) · · Score: 1

      After reading that, this picture comes to mind.

      --
      If you build it, nerds will come. Soylentnews.org
  6. Securing Mac OS X by slughead · · Score: 5, Funny

    1. Put on oversized trench-coat
    2. walk into the apple store
    3. Insert Mac OS X into trench-coat
    4. Walk calmly to your car
    5. Drive home

    --
    Latewire
  7. Re:Dear Gay Troller by Anonymous Coward · · Score: 0
    I cant believe this tired old bullshit is still being posted. Damn, cant you think up some fresh material?



    You're like 45 levels of trolling coolness below GNAA. You *should* be embarrassed.

  8. Re:They score some points with me on a first skim. by Anonymous Coward · · Score: 0

    lol. and your the first person who will be infected when mac osx is hit hard.

    some of us like to know our system's are protected, and osx will one day get hit best be secure BEFORE that happens, not trying to bolt the door after the horses have escaped.

  9. Re:They score some points with me on a first skim. by Jord · · Score: 4, Interesting
    Do you really think buying a piece of anti-virus software now will protect you from some virus in the future?

    Right now -- Today, anti-virus software for Mac OS X is worthless. There are no viruses to check for on OS X for it to protect against. IF or when a virus or a worm comes out for OS X then anti-virus software will have a use. Until then, you are just wasting money.

    Just like anti-virus software for Linux, it is the modern day snake oil.

    --
    seSales, Point of Sale software for OS X.
  10. Problem solved by Neillparatzo · · Score: 2, Funny
    1. Delete OSX
    2. Install OpenBSD/macppc

    Next on Neill's Slashdot Comments: How to secure Linux.

    1. Re:Problem solved by obirt · · Score: 1

      Or you could use NetBSD/macppc and have SMP, more hardware support, more device support, no services enabled by default, and Linux/FreeBSD/Darwin binary emulation.

      --

      I use to be indecisive, but now I'm not so sure.
    2. Re:Problem solved by Justintosh · · Score: 1

      No need to secure X it's already great. Never had any problem with it. Never heard of anybody who did. I have a dual-boot system OpenBSD/Mac OS X. Perfect, if you can handle BSD. OpenBSD when I feel like tinkering with a high-end server OS, Mac OS X for everything else.

  11. a couple of thoughts on this paper ... by valmont · · Score: 2, Informative

    ... can be found in this blog entry. ... I'll try and link to higher-modded comments to his post in comments on my blog. I think the more people cross-pollinate ideas about end-user operating system security, the better-off we could all be :)

    --
    Extraordinary Vacations. Exceptional Prices
  12. Re:They score some points with me on a first skim. by mccalli · · Score: 4, Insightful
    Today, anti-virus software for Mac OS X is worthless. There are no viruses to check for on OS X for it to protect against. IF or when a virus or a worm comes out for OS X then anti-virus software will have a use. Until then, you are just wasting money.

    Not quite true, particularly in a corporate setting. Let me state first off that I run OS X and don't have any anti-virus software, but I can see a use for it.

    Chances are that the email you're sending is getting read on a Windows box. If you're forwarding along a mail containing an attachment, you might be unwittingly forwarding a Windows virus which is totally harmless to you, but not so to your recipient. I had one the other day - README.CPL. Mac users don't need to care that that's a Windows control panel, and might not even know. Your virus checker might not prevent you from catching non-existent viruses, but it will help you be nicer to the Windows-using world by catching anything you're sending out. Can also help with macro viruses I imagine, though I don't have MS Office on my machine so I can't be certain of that.

    Cheers,
    Ian

  13. secure any machine. by davids-world.com · · Score: 3, Funny

    shut down, pull the plug and fill with concrete. wait for it to harden. machine secured.

    1. Re:secure any machine. by TheRaven64 · · Score: 4, Funny
      I recall reading in a UNIX textbook a few years back:
      You don't need to bother with hashed passwords if your computer is not connected to a network, or a power point, and is buried under six feet of concrete.
      --
      I am TheRaven on Soylent News
  14. Windows box by guet · · Score: 4, Insightful

    Do anti-virus programs on the client scan email that you send out? I was under the impression they scanned files that were copied to the hard disk, it would have to be very closely integrated with the email software to scan incoming email, and frankly there are better enterprise products for scanning mail attachments on the server side anyway.

    Not forwarding attachments that you don't recognise/need is common sense - why would you possibly forward an email like that??? So I think the grand-parent's point stands - until there is a virus in the wild for OS X, installing anti-virus software is not going to help anyone.

    The only possible use I can see is to scan for word macro viruses which you might pass on to windows users, however there is another solution to that problem. Also, if they have anti-virus software (which they should have) it should pick that up.

    1. Re:Windows box by Anonymous Coward · · Score: 0

      It is considered BEST practice to protect yourself by scanning for viruses, worms, trojans etc using a server side method, AS WELL AS provide a desktop client to scan for anything that slips through the cracks.

      My antivirus software performs on access scanning... all attachments in email are scanned when attached, and all messages are scanned when sent. You cannot rely on just a server side solution. What if a consultant plugs in his laptop and he has a virus? His mail client could infect you internally and your server side product was useless. It has happened at two places I have worked. What saved the day was client side antivirus solutions.

    2. Re:Windows box by guet · · Score: 1

      My point was you should put desktop anti-virus on the clients which are likely to be affected. Mac mail programs (mail.app for example) will warn about suspicious attachments which could do damage on *that* system (.app, scripts etc). For now what's more important is to educate users about what to trust and what not to.

      I'm sure anti-virus software will be necessary on mac desktops someday soon, but until there is at least *one* virus in the wild it seems a bit pointless to have it running. On PC desktops right now of course it's a must.

  15. Missing: Important sshd_config changes by tbmaddux · · Score: 3, Informative

    The article gives a brief overview of SSH, explains AllowUsers, tunnelling, and recommmends disabling SSHv1. However, it misses other details. The most important is disabling root login (which is allowed by default) with: PermitRootLogin no and it would also have been nice to see them suggest changing the Ciphers list from the default, choosing SHA1 MACs, and giving a rundown of public-key-based authentication rather than merely sending readers onward to the OpenSSH website.

    --
    Can't you see that everyone is buying station wagons?
    1. Re:Missing: Important sshd_config changes by discstickers · · Score: 2, Informative

      Isn't that not really a problem, since root isn't, by default, enabled?

      --
      I have a shitty sig!
    2. Re:Missing: Important sshd_config changes by jeffasselin · · Score: 2, Interesting

      Interesting. Mac OS X 10.1 and 10.2 had this disabled by default, it appears Apple have made this change in 10.3. I normally always use the user account and then use su/sudo anyway.

      --
      If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
  16. A virus for YOUR platform is YOUR problem! by Anonymous Coward · · Score: 1, Insightful

    Sorry, but the Windows-using world can kiss my ass. I don't see how I should be expected to buy antivirus software for Mac OS X simply as a courtesy to Windows users with whom I may communicate. Frankly, as a longtime Mac user I'm fucking sick and tired of bending over backwards to accommodate Windows users, and not getting a fraction of that courtesy in return.

    They should be running their own damned antivirus software so any file that I pass them gets checked/disinfected on their end.

    If Windows users want me to run antivirus software on my Mac which does not need it, then they are more than welcome to buy it for me-- surely they can afford it, since they saved soooo much money by buying a Windows PC, right?

  17. Secure your ... by jivemonkey · · Score: 0, Redundant

    There is a very easy way to secure any operating system. Turn your computer off. Other than that, there will always be venurabilities, and while you do want to make sure that if you need the security, you have it, most people don't need it. I have no fear that some hacker is going to come in to my computer and steal all of my personal files. Besides, even if he did, so what? I have nothing of real importance that isn't backed up. If you need the security that badly, hire an IT team.

    --
    Got a problem? Call a monkey!
    1. Re:Secure your ... by hawaiian717 · · Score: 4, Insightful
      There is a very easy way to secure any operating system. Turn your computer off.

      This alone isn't enough. You need physical security, too. If I can get physical access to the machine, I can walk out of the room with the whole thing, or just it's hard drive, or even just an image of it's hard drive, and start working on it.

      The only truly secure computer is encased in concrete and sitting at the bottom of the Pacific Ocean, two thousand miles south of Honolulu.

      --
      End of Line.
    2. Re:Secure your ... by Ohreally_factor · · Score: 1

      With the criminally insane robots? or with the guards? Makes a big difference.

      --
      It's not offtopic, dumbass. It's orthogonal.
    3. Re:Secure your ... by catdevnull · · Score: 2, Funny

      SHHH! Dude, don't tell them WHERE in the Pacific!

      --

      I might know what I'm talkin' about, but then again, this is Slashdot...
  18. Re:They score some points with me on a first skim. by Altus · · Score: 1, Interesting


    what makes you think that anit-virus software written for OS X will even be able to detect a windows virus lying dormant in a file. The code wont even execute on the processor. the anti-virus software is not going to have deffinitions for viruses that dont exist on the platform that the software was designed for.

    --

    "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

  19. Re:They score some points with me on a first skim. by Anonymous Coward · · Score: 0

    It does have definitions for them. As it stands, that is the entire purpose of OSX antiviral software.

  20. Re:They score some points with me on a first skim. by mccalli · · Score: 1
    The code wont even execute on the processor. the anti-virus software is not going to have deffinitions for viruses that dont exist on the platform that the software was designed for.

    Yes, they do have definitions for other platforms. Doesn't matter in the slightest what processor the virus was meant for, virus scanners don't check things are viruses by running the code, they do it by pattern recognition.

    I have Clam anti-virus software running on a Linux server. It's happily catching Windows viruses all day long...

    Cheers,
    Ian

  21. Re:They score some points with me on a first skim. by clarkcox3 · · Score: 2, Insightful

    Yes, because we have anti-virus software that can see into the future, and protect against viruses that haven't been written yet.

    --
    There are no tiger attacks in my area and it's all because this rock I'm holding keeps the tigers away.
  22. Re:They score some points with me on a first skim. by Greedo · · Score: 1

    the anti-virus software is not going to have deffinitions for viruses that dont exist on the platform that the software was designed for.

    That isn't true, I don't think. Virex on the Mac recognizes Windows virii signatures.

    --
    Tuus crepidae innexilis sunt.
  23. Re:They score some points with me on a first skim. by Gryffin · · Score: 4, Informative

    As a paying .Mac member, I downloaded and installed McAfee Virex 7.2, and it's actually found a few viruses: Windows viruses in software installers backed up on my OS X fileserver! It also tripped across a really ancient Mac virus on a very old Zip disk from about five years ago, and since I've got a pretty healthy collection of old pre-G3 Macs, Virex has done it's job very nicely.

    --
    Learn from the mistakes of others. You won't live long enough to make them all yourself.
  24. Re:They score some points with me on a first skim. by Altus · · Score: 1

    well, ill have to take your words for it for now. I have never seen Norton Anti virus catch a windows virus but maybe that is pure conicidence.

    I never would have thought that anti-virus software would bother with viruses that dont effect the client machine. I do wonder how they can be sure that the patterns they are matching to dont have a legitimate use on the platform (like say, a datafile) and only happen to have the same binary values in the right places to also be a windows virus.

    still... not much of an argument for running mac anti virus software, even in an office environment. you should realy be scanning for email viruses on the email server and never let it get down to the client. shelling out for anti-virus software for the mac and for windows seems like a waste when simply running the windows versions would cost less and be just as effective.

    --

    "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

  25. I can go home now... by dave+at+hostwerks · · Score: 5, Informative

    I've learned my one thing for the day: an admin can control who can and who cannot execute the sudo command.

    "Sudo
    Since the root user is disabled, it is not possible to use the su command to obtain root privileges; instead, OS X makes use of the sudo program. By default Panther allows all administrative users access to the sudo command and it allows these users to run any program with sudo. In some circumstances, this may contravene system usage policies. In these cases, it is possible to disallow sudo access to the administrator group and instead, enable it on a per user basis.

    From the terminal, edit the /etc/sudoers file by typing: sudo visudo Insert a hash (#) character, in front of the line
    %admin ALL=(ALL) ALL

    To allow only the user 'bob' access to sudo add the line:
    bob ALL = (ALL) ALL

    Make sure that at least one user has permissions to run sudo before saving the file! Access controls within the sudoers file can be specified minutely, for example, it is possible to grant the user james access to the file /usr/bin/kill, but only with the privileges of user tim. See the sudoers man page for more details on tightening access controls through sudo."

    Who'da thunk?

    --
    d a v e
    "Hmmm...upgrades."
    1. Re:I can go home now... by jlaxson · · Score: 1
      Be sure that users you restrict to certain commands and arguments (ie, bob gets passwd with sudo, but only for users != root, superadmin, etc) can not also run 'su'.

      Doing
      sudo su
      will dump you into a root shell bypassing sudo command restrictions, and also bypassing sudo logging (though it will still log that you executed su)
      --
      On Apple Input Peripherals: They're okay, I guess, but I was really hoping for a one-key keyboard and a 109-button mouse
  26. Re:They score some points with me on a first skim. by PeePeeSee · · Score: 0

    virii isnt a real word

  27. Re:They score some points with me on a first skim. by Altus · · Score: 2, Funny


    there is nothing healthy about having a collection of pre-G3 Macs..

    not that I dont have one too... but its certainly not healthy. :)

    --

    "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

  28. I'd never read that manpage through by scruffyMark · · Score: 2, Informative
    insults If set, sudo will insult users when they enter an incorrect
    password. This flag is off by default.

    That's really funny, in a "who the hell thought that would be a good idea?" sort of way...

    Most people just copy and paste the
    [user list] ALL=(ALL) ALL form, without considering what limits can be imposed. Really, that's
    [user list] [host list]=([run-as-user list]) [command list]

    --

    What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht

  29. Re:They score some points with me on a first skim. by hawaiian717 · · Score: 1
    I had NAV 9 on Mac OS X report finding a Netsky variant in an email I received a few weeks ago. Specifically, it thought the Thunderbird inbox was infected when the email was written to that file.

    False positives are problems with all pattern matching systems, but it doesn't seem to come up that often. The anti-virus vendors seem to do a pretty good job of finding unique strings to match on.

    It is possible for anti-virus software to detect unknown viruses by monitoring for suspicious activity. Several viruses for classic Mac OS were file infectors that attached themselves to an existing application on your machine. Thus, you don't need to have specific rules to catch these viruses, you simply monitor for and alert on attempts to write to files of type APPL.

    --
    End of Line.
  30. Re:They score some points with me on a first skim. by Theaetetus · · Score: 3, Funny
    Chances are that the email you're sending is getting read on a Windows box. If you're forwarding along a mail containing an attachment, you might be unwittingly forwarding a Windows virus which is totally harmless to you, but not so to your recipient. I had one the other day - README.CPL. Mac users don't need to care that that's a Windows control panel, and might not even know.

    "Dear Bob,

    I received this attachment from a nice Nigerian man - he suggested I open it and put my credit card numbers in to the box that appears to register it. However, being a Mac user, I can't open it. Would you please do so, and put your credit card numbers in?
    Thanks!"

    Seriously? How many people forward emails with attachments that they can't open?

  31. Prison showers, Apple flowers by jellyfish_green · · Score: 4, Funny

    A new user entering the internet is like your first time using the communal prison showers.

    Those with previous experience (Custom Linux installation) will know there's security options and will pick, for example, "buttcheeks=open" or "buttcheeks=closed" depending on what they plan to do.

    The new users won't know there's an option until it's pointed out to them some time in the future.

    MacOSX follows "recommended best practice" and starts you off with buttcheeks=closed, and if that ever becomes a problem, hopefully you'll look into it yourself and figure out which option needs changing to enhance your experience.

    Windows apparently starts with buttcheeks=open, because they don't want to deny their users the full internet experience. Or something.

  32. Re:Dear Pudge O'Day by Anonymous Coward · · Score: 0

    I thought the Catholic Church declared that "the Internet" didn't exist?

    Seriously though, Windows bigots are funny. Maybe they're taking abreak from SpyBot S&D trolling for adbots?

  33. Re:They score some points with me on a first skim. by justMichael · · Score: 1

    While I admire your desire to be nice to the folks running Windows by not passing on infected messages...

    Email anti-virus needs to be done by the server to be reliable. That way it doesn't matter who or where the infected message came from, if it has a virus it gets quarantined on the server, no bounce messages, just quarantined.

    If someone was expecting something and it doesn't get through, you will hear about it and you can look into it to find that it has a virus and the sender needs to clean up their mess before it gets into your network.

    The majority of the virus infected email I see in my quarantine is purely viral, I don't know that I have ever seen a "valid" email with a virus, but I tend to deal mostly with computer adept folks.

  34. Re:Dear Gay Troller by Justintosh · · Score: 0, Flamebait

    Goofy wording, but the guy has a point. Windows comes out of the box like a boat made of mesh, while OS X comes built like a warship. You can drill holes in the bootom of the warship if you want, but the mesh on Windows will take alot more effort to patch. :) Sorry for the goofy analogy, but that's the basic point. ....OpenBSD on the other hand is kind of like a Nuclear Missile Sub. ;) - just a thought.

  35. false positives do happen by scruffyMark · · Score: 1
    I've seen this - there was a printer driver component that clamav mistakenly took to be part of a windows virus. All antivirus systems will be liable to do that - short of keeping a full binary copy of the entire virus in the virus signature file, you're going to lose information.

    Whether it's based on magic number-like signatures, or something like md5 hashes, or whatever, any way of recognizing a file, based on less than the full file for comparison, will always lose some information.

    Note that this was clamav running on a knoppix boot disk, scanning a windows HD. It did detect a couple of legit bits of malware too.

    --

    What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht

  36. Howd ya like those apples? by Anonymous Coward · · Score: 0

    If you were interested in this topic of discussion
    maybe this will appeal ? ...

    http://packetstormsecurity.org/filedesc/applePan th er.txt.html

  37. Not to mention MS Office viruses... by xiaodidi · · Score: 1

    My Virex found MS Office viruses hidden in ancient Word documents from the OS 7 era -- on an OS X computer. They were still able to damage Word X's menu layout. These viruses may originate on Windows, but affect both systems.

    Incidentally, I posted this information some time back, and my post was branded "flamebait". Go figure...