Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing Mac OS X

Posted by pudge on from the unplugging dept.

LogError writes "This paper addresses operating system hardening in terms of patching, administration roles, and setting passwords. It also provides information on Mac OS X network security: namely, basic firewall configuration and hardening of network services such as FTP, SSH, and Apache."

30 of 63 comments (clear)

  1. Good to see... by Exitthree · · Score: 4, Insightful

    While OS X is quite secure by default, it is good to recognize that OS X, like any OS, isn't without vulnerability. The fact that the OS is getting a thorough look-over for security concerns is just one more step in getting it taken seriously. I'm going to have a full of the paper now.

    1. Re:Good to see... by McAddress · · Score: 5, Funny

      bah, everybody knows that OS X is full of holes. users needing security should switch to windows.

    2. Re:Good to see... by commodoresloat · · Score: 2, Funny
      I'm going to have a full of the paper now.

      But not, in standard slashdot fashion, before posting a comment here.

  2. They score some points with me on a first skim... by mellon · · Score: 4, Interesting

    ...because they mention antivirus software and do not claim that it will be of any value other than possibly satisfying corporate IS requirements.

  3. Direct link to the PDF.... by Currawong · · Score: 4, Informative

    ....is here. This for those of you who read the comments before reading the article ;)

    --

    What is the point of the internet?
  4. Securing Mac OS X by Anonymous Coward · · Score: 3, Interesting

    Step 1: Turn on the Mac.
    Step 2: There is no step 2!

    Scoff if you want to, but I've never had to spend a couple hours trying to pry any malware out of my Macs-- but most of my billable time lately has been spent doing just that on clients' Windows boxes.

    When Norton Antivirus, Spybot S&D, Ad-Aware and CoolWebShredder together aren't enough to delouse the average PC and keep it clean, IMHO it's just time to give up on Windows.

    1. Re:Securing Mac OS X by dnahelix · · Score: 3, Informative

      My poor neighbors just got a PC (booo) with XP and, upon my suggestion, got Comcast broadband.

      Less than 48 hours after being hooked to the internet, they're calling me over because some anti-virus app had detected spy ware and some other thing and was going to need a couple of hours to scan the hard drive.
      Needless to say, these newbies were panicing big time.
      They asked how I dealt with viruses and the like and I said, "Remember, I said I use Macs." The wife says, "ooooh, you don't get viruses on your macs?" Then looks at her husband and says "Why didn't we get a Mac?"
      The next day they had some PC tech company people there to fix it! (and the bastards parked in MY driveway)

      --
      Slashdot Eds Link Anonymous Posts With Logged Posts
      They Are Vermin Feeding On Each Other's Feces.
      I Hate \.
    2. Re:Securing Mac OS X by lavaface · · Score: 2, Funny

      I believe you're missing
      6. ???
      7. Profit!!!

      --
      harmonious design
    3. Re:Securing Mac OS X by slughead · · Score: 2, Funny

      1. Put on oversized trench-coat
      2. walk into the apple store
      3. Insert Mac OS X into trench-coat
      4. Walk calmly to your car
      5. Drive home

      Otherwise known as the "Sandy Berger" technique.

      Actually you'd have to change 'trench-coat' to 'underpants'

      Why was the parent marked troll? I thought it was funny.
      Obviously some thin-skinned democrats running around :)

      --
      Latewire
    4. Re:Securing Mac OS X by JivanMukti · · Score: 3, Funny

      Sandy Burger, it that you?!

  5. Securing Mac OS X by slughead · · Score: 5, Funny

    1. Put on oversized trench-coat
    2. walk into the apple store
    3. Insert Mac OS X into trench-coat
    4. Walk calmly to your car
    5. Drive home

    --
    Latewire
  6. Re:They score some points with me on a first skim. by Jord · · Score: 4, Interesting
    Do you really think buying a piece of anti-virus software now will protect you from some virus in the future?

    Right now -- Today, anti-virus software for Mac OS X is worthless. There are no viruses to check for on OS X for it to protect against. IF or when a virus or a worm comes out for OS X then anti-virus software will have a use. Until then, you are just wasting money.

    Just like anti-virus software for Linux, it is the modern day snake oil.

    --
    seSales, Point of Sale software for OS X.
  7. Problem solved by Neillparatzo · · Score: 2, Funny
    1. Delete OSX
    2. Install OpenBSD/macppc

    Next on Neill's Slashdot Comments: How to secure Linux.

  8. a couple of thoughts on this paper ... by valmont · · Score: 2, Informative

    ... can be found in this blog entry. ... I'll try and link to higher-modded comments to his post in comments on my blog. I think the more people cross-pollinate ideas about end-user operating system security, the better-off we could all be :)

    --
    Extraordinary Vacations. Exceptional Prices
  9. Re:They score some points with me on a first skim. by mccalli · · Score: 4, Insightful
    Today, anti-virus software for Mac OS X is worthless. There are no viruses to check for on OS X for it to protect against. IF or when a virus or a worm comes out for OS X then anti-virus software will have a use. Until then, you are just wasting money.

    Not quite true, particularly in a corporate setting. Let me state first off that I run OS X and don't have any anti-virus software, but I can see a use for it.

    Chances are that the email you're sending is getting read on a Windows box. If you're forwarding along a mail containing an attachment, you might be unwittingly forwarding a Windows virus which is totally harmless to you, but not so to your recipient. I had one the other day - README.CPL. Mac users don't need to care that that's a Windows control panel, and might not even know. Your virus checker might not prevent you from catching non-existent viruses, but it will help you be nicer to the Windows-using world by catching anything you're sending out. Can also help with macro viruses I imagine, though I don't have MS Office on my machine so I can't be certain of that.

    Cheers,
    Ian

  10. secure any machine. by davids-world.com · · Score: 3, Funny

    shut down, pull the plug and fill with concrete. wait for it to harden. machine secured.

    1. Re:secure any machine. by TheRaven64 · · Score: 4, Funny
      I recall reading in a UNIX textbook a few years back:
      You don't need to bother with hashed passwords if your computer is not connected to a network, or a power point, and is buried under six feet of concrete.
      --
      I am TheRaven on Soylent News
  11. Windows box by guet · · Score: 4, Insightful

    Do anti-virus programs on the client scan email that you send out? I was under the impression they scanned files that were copied to the hard disk, it would have to be very closely integrated with the email software to scan incoming email, and frankly there are better enterprise products for scanning mail attachments on the server side anyway.

    Not forwarding attachments that you don't recognise/need is common sense - why would you possibly forward an email like that??? So I think the grand-parent's point stands - until there is a virus in the wild for OS X, installing anti-virus software is not going to help anyone.

    The only possible use I can see is to scan for word macro viruses which you might pass on to windows users, however there is another solution to that problem. Also, if they have anti-virus software (which they should have) it should pick that up.

  12. Missing: Important sshd_config changes by tbmaddux · · Score: 3, Informative

    The article gives a brief overview of SSH, explains AllowUsers, tunnelling, and recommmends disabling SSHv1. However, it misses other details. The most important is disabling root login (which is allowed by default) with: PermitRootLogin no and it would also have been nice to see them suggest changing the Ciphers list from the default, choosing SHA1 MACs, and giving a rundown of public-key-based authentication rather than merely sending readers onward to the OpenSSH website.

    --
    Can't you see that everyone is buying station wagons?
    1. Re:Missing: Important sshd_config changes by discstickers · · Score: 2, Informative

      Isn't that not really a problem, since root isn't, by default, enabled?

      --
      I have a shitty sig!
    2. Re:Missing: Important sshd_config changes by jeffasselin · · Score: 2, Interesting

      Interesting. Mac OS X 10.1 and 10.2 had this disabled by default, it appears Apple have made this change in 10.3. I normally always use the user account and then use su/sudo anyway.

      --
      If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
  13. Re:They score some points with me on a first skim. by clarkcox3 · · Score: 2, Insightful

    Yes, because we have anti-virus software that can see into the future, and protect against viruses that haven't been written yet.

    --
    There are no tiger attacks in my area and it's all because this rock I'm holding keeps the tigers away.
  14. Re:They score some points with me on a first skim. by Gryffin · · Score: 4, Informative

    As a paying .Mac member, I downloaded and installed McAfee Virex 7.2, and it's actually found a few viruses: Windows viruses in software installers backed up on my OS X fileserver! It also tripped across a really ancient Mac virus on a very old Zip disk from about five years ago, and since I've got a pretty healthy collection of old pre-G3 Macs, Virex has done it's job very nicely.

    --
    Learn from the mistakes of others. You won't live long enough to make them all yourself.
  15. I can go home now... by dave+at+hostwerks · · Score: 5, Informative

    I've learned my one thing for the day: an admin can control who can and who cannot execute the sudo command.

    "Sudo
    Since the root user is disabled, it is not possible to use the su command to obtain root privileges; instead, OS X makes use of the sudo program. By default Panther allows all administrative users access to the sudo command and it allows these users to run any program with sudo. In some circumstances, this may contravene system usage policies. In these cases, it is possible to disallow sudo access to the administrator group and instead, enable it on a per user basis.

    From the terminal, edit the /etc/sudoers file by typing: sudo visudo Insert a hash (#) character, in front of the line
    %admin ALL=(ALL) ALL

    To allow only the user 'bob' access to sudo add the line:
    bob ALL = (ALL) ALL

    Make sure that at least one user has permissions to run sudo before saving the file! Access controls within the sudoers file can be specified minutely, for example, it is possible to grant the user james access to the file /usr/bin/kill, but only with the privileges of user tim. See the sudoers man page for more details on tightening access controls through sudo."

    Who'da thunk?

    --
    d a v e
    "Hmmm...upgrades."
  16. Re:They score some points with me on a first skim. by Altus · · Score: 2, Funny


    there is nothing healthy about having a collection of pre-G3 Macs..

    not that I dont have one too... but its certainly not healthy. :)

    --

    "In America, first you get the sugar, then you get the power, then you get the women..." -H. Simpson

  17. I'd never read that manpage through by scruffyMark · · Score: 2, Informative
    insults If set, sudo will insult users when they enter an incorrect
    password. This flag is off by default.

    That's really funny, in a "who the hell thought that would be a good idea?" sort of way...

    Most people just copy and paste the
    [user list] ALL=(ALL) ALL form, without considering what limits can be imposed. Really, that's
    [user list] [host list]=([run-as-user list]) [command list]

    --

    What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht

  18. Re:Secure your ... by hawaiian717 · · Score: 4, Insightful
    There is a very easy way to secure any operating system. Turn your computer off.

    This alone isn't enough. You need physical security, too. If I can get physical access to the machine, I can walk out of the room with the whole thing, or just it's hard drive, or even just an image of it's hard drive, and start working on it.

    The only truly secure computer is encased in concrete and sitting at the bottom of the Pacific Ocean, two thousand miles south of Honolulu.

    --
    End of Line.
  19. Re:They score some points with me on a first skim. by Theaetetus · · Score: 3, Funny
    Chances are that the email you're sending is getting read on a Windows box. If you're forwarding along a mail containing an attachment, you might be unwittingly forwarding a Windows virus which is totally harmless to you, but not so to your recipient. I had one the other day - README.CPL. Mac users don't need to care that that's a Windows control panel, and might not even know.

    "Dear Bob,

    I received this attachment from a nice Nigerian man - he suggested I open it and put my credit card numbers in to the box that appears to register it. However, being a Mac user, I can't open it. Would you please do so, and put your credit card numbers in?
    Thanks!"

    Seriously? How many people forward emails with attachments that they can't open?

  20. Prison showers, Apple flowers by jellyfish_green · · Score: 4, Funny

    A new user entering the internet is like your first time using the communal prison showers.

    Those with previous experience (Custom Linux installation) will know there's security options and will pick, for example, "buttcheeks=open" or "buttcheeks=closed" depending on what they plan to do.

    The new users won't know there's an option until it's pointed out to them some time in the future.

    MacOSX follows "recommended best practice" and starts you off with buttcheeks=closed, and if that ever becomes a problem, hopefully you'll look into it yourself and figure out which option needs changing to enhance your experience.

    Windows apparently starts with buttcheeks=open, because they don't want to deny their users the full internet experience. Or something.

  21. Re:Secure your ... by catdevnull · · Score: 2, Funny

    SHHH! Dude, don't tell them WHERE in the Pacific!

    --

    I might know what I'm talkin' about, but then again, this is Slashdot...