Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing Mac OS X

Posted by pudge on from the unplugging dept.

LogError writes "This paper addresses operating system hardening in terms of patching, administration roles, and setting passwords. It also provides information on Mac OS X network security: namely, basic firewall configuration and hardening of network services such as FTP, SSH, and Apache."

8 of 63 comments (clear)

  1. Direct link to the PDF.... by Currawong · · Score: 4, Informative

    ....is here. This for those of you who read the comments before reading the article ;)

    --

    What is the point of the internet?
  2. Re:Securing Mac OS X by dnahelix · · Score: 3, Informative

    My poor neighbors just got a PC (booo) with XP and, upon my suggestion, got Comcast broadband.

    Less than 48 hours after being hooked to the internet, they're calling me over because some anti-virus app had detected spy ware and some other thing and was going to need a couple of hours to scan the hard drive.
    Needless to say, these newbies were panicing big time.
    They asked how I dealt with viruses and the like and I said, "Remember, I said I use Macs." The wife says, "ooooh, you don't get viruses on your macs?" Then looks at her husband and says "Why didn't we get a Mac?"
    The next day they had some PC tech company people there to fix it! (and the bastards parked in MY driveway)

    --
    Slashdot Eds Link Anonymous Posts With Logged Posts
    They Are Vermin Feeding On Each Other's Feces.
    I Hate \.
  3. a couple of thoughts on this paper ... by valmont · · Score: 2, Informative

    ... can be found in this blog entry. ... I'll try and link to higher-modded comments to his post in comments on my blog. I think the more people cross-pollinate ideas about end-user operating system security, the better-off we could all be :)

    --
    Extraordinary Vacations. Exceptional Prices
  4. Missing: Important sshd_config changes by tbmaddux · · Score: 3, Informative

    The article gives a brief overview of SSH, explains AllowUsers, tunnelling, and recommmends disabling SSHv1. However, it misses other details. The most important is disabling root login (which is allowed by default) with: PermitRootLogin no and it would also have been nice to see them suggest changing the Ciphers list from the default, choosing SHA1 MACs, and giving a rundown of public-key-based authentication rather than merely sending readers onward to the OpenSSH website.

    --
    Can't you see that everyone is buying station wagons?
    1. Re:Missing: Important sshd_config changes by discstickers · · Score: 2, Informative

      Isn't that not really a problem, since root isn't, by default, enabled?

      --
      I have a shitty sig!
  5. Re:They score some points with me on a first skim. by Gryffin · · Score: 4, Informative

    As a paying .Mac member, I downloaded and installed McAfee Virex 7.2, and it's actually found a few viruses: Windows viruses in software installers backed up on my OS X fileserver! It also tripped across a really ancient Mac virus on a very old Zip disk from about five years ago, and since I've got a pretty healthy collection of old pre-G3 Macs, Virex has done it's job very nicely.

    --
    Learn from the mistakes of others. You won't live long enough to make them all yourself.
  6. I can go home now... by dave+at+hostwerks · · Score: 5, Informative

    I've learned my one thing for the day: an admin can control who can and who cannot execute the sudo command.

    "Sudo
    Since the root user is disabled, it is not possible to use the su command to obtain root privileges; instead, OS X makes use of the sudo program. By default Panther allows all administrative users access to the sudo command and it allows these users to run any program with sudo. In some circumstances, this may contravene system usage policies. In these cases, it is possible to disallow sudo access to the administrator group and instead, enable it on a per user basis.

    From the terminal, edit the /etc/sudoers file by typing: sudo visudo Insert a hash (#) character, in front of the line
    %admin ALL=(ALL) ALL

    To allow only the user 'bob' access to sudo add the line:
    bob ALL = (ALL) ALL

    Make sure that at least one user has permissions to run sudo before saving the file! Access controls within the sudoers file can be specified minutely, for example, it is possible to grant the user james access to the file /usr/bin/kill, but only with the privileges of user tim. See the sudoers man page for more details on tightening access controls through sudo."

    Who'da thunk?

    --
    d a v e
    "Hmmm...upgrades."
  7. I'd never read that manpage through by scruffyMark · · Score: 2, Informative
    insults If set, sudo will insult users when they enter an incorrect
    password. This flag is off by default.

    That's really funny, in a "who the hell thought that would be a good idea?" sort of way...

    Most people just copy and paste the
    [user list] ALL=(ALL) ALL form, without considering what limits can be imposed. Really, that's
    [user list] [host list]=([run-as-user list]) [command list]

    --

    What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht