Slashdot Mirror
Securing Mac OS X Tiger
Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."
I put a tiger on a leash once. It didn't work. Don't try this at home, kids!
Ah, good Slashdot.... Now it warns us that TFA is "long", even.
But of course, I don't think anyone ever tries to RTFA, so the thoughtful gesture is lost on us....
That's why it says that it's "one of the most" not "the most".
- Henrik
- when the Shadows descend -
"one of the most" - not THE most. At least read the post, let alone the article
Durr, I make really quick but completely vacuous and inane posts to a new story to get karma.
Durr.
If you're going for corporate security, you're probably going to look at every aspect you need to lock down. Security by default matters for 90% of desktop users, but don't you disable services/add firewalls as soon as you set up your OS?
Send email from the afterlife! Write your e-will at Dead Man's Switch.
I remember they did a write up last year about securing OS X Panther.
Nice to see Roy Horn has recovered enough to post on slashdot.
One of the features that this article highlights is the Secure swap space, which allows you to have your swap space encrypted so that it cannot be read either unintentionally or intentionally. FileVault is fairly secure for storing business documentation, etc also. Article is well worth a read for any mac user, and non mac user who may have macs in their environment
Oh good god. I appreciate RTFA as a strech, but not even RTFQYQFTS (Read the f'ing quotation you quoted from the summary) - that's a new /. low
When I read 'long pdf" I thought it was at least 400 pages. 1-50 pages is short, 50-400 pages is a bit long 400-infinity is long.
Wow, bundling iTunes (a program which lets you load MP3s onto an iPod) with an iPod. What blatant disregard for the consumer, who is powerless to install other iPod interface software or buy a different MP3 player.
I knew he was a Canadian.
I knew it.
Security still depends on the user of the software, even the most secure system can be opened WIDE up if someone chooses (or chooses without knowing) to make it so. You can have everything encrypted, but if your password is easily guessable then your encryption is weak. This goes with the thought that "A system is only as secure as it's weakest point."
Law enforcement agencies annouce that "OS X Tiger" stands in the way of forensic investigation. Story at eleven.
Mildly funny, but also a bit irresponsible without a warning:
Folks, sudo puts you into superuser mode and executes a command, rm. rm removes files, in this case, all of them.
Unless you enjoy completely rebuilding a system and losing all your data files, don't run this command.
Another tip: never enter console commands you don't understand.
http://www.nsa.gov/snac/
M ac_OS_X.pdf
http://www.net-security.org/dl/articles/Securing_
http://eq.rsug.itd.umich.edu/software/radmind/
http://homepage.mac.com/hogfish/PhotoAlbum2.html
Best tip (not a flame) - simply don't run any Microsoft software, support open or other vendors software please, also W3C standards, thanks.
Grab it by the toe.
Wear good earplugs.
all you did was say "the article has this and this in it. read it if you use macs." +5 for that? what's informative about that?
I didn't see any mention of disabling this dangerous feature in the article.
By default, OS X stores your password as a nice secure hash. However, it also stores it using Windows' shitty hash method, that takes approximatly 0.000000001 seconds to brute force with John the Ripper.
So it's advisable to somehow disable this functionalty.
I totally agree. I love my mini... well, let me ammend that: I love OS X and the way the mini looks. The base model (originally) only had 256 mb of RAM. Now normally that wouldn't be the biggest deal in the world, but when coupled with a 4200 RPM hard drive, you get some serious slow-downs whenever it hits the swap file.
Best ways to make a mini better:
Get either an external firewire drive with a huge cache or a 7200 RPM internal 2.5" drive (the speeds for external firewire beat the stock internal drive, how pathetic is that?!)
Upgrade the RAM
Change the minijumper on the logic board to overclock the processor
It's a great machine after that. Apple shouldn't have crippled it the way they did.
I tried it and nothing happened, the hard drive is going though, how long does it ta.....
Seriously, given the inferiority of Microsoft software, it would do the world a favor if someone would "rm-ed" their stuff worldwide.
We Mac users keep waiting for that certain virus to do the job.
Prison isn't as bad as it's made out to be, you'll be out in 5 years on good behavior.
No, it doesn't. It just marks as deleted all the inodes for all the files on your disk. Do this, then give the disk to someone with EnCase, and watch them promptly recreate every file on your disk.
End of Line.
correct me if i'm wrong, but i think NetBSD beats OpenBSD on this.
Ok, it's running. Then wh...#$(#*$)#*$)#)$
Favorite quote: "
Believe me, you haven't missed anything.
.app folder copied by user can be tainted anytime by anyone modifying one single file from terminal.
Yeah, 41 pages long. If you ever read "basic secure your Linux box", well, that's it. I'm dissapointed that a real Mac problem was not addressed. It allows you world writable Applications directory, and
It contains:
Setting password, Displaying warning, locking your firmware (well, this one is the only deviation from "Lock your box for real world dummies"), enabling ACLs, changing user home directories from 022 to 027, tcp_wrappers, xinetd, and other services, file vault, encrypted disk images...
Basicaly the only positive thing I got from reading it, was how insecure default OSX (talking about DEFAULT here, not what is possible. Mac line was always "Just works") really is. It is more or less as secure as Windows 98 with few bugs taken out and few new entred.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
You would be incorrect, friend. While NetBSD is a very secure operating system, OpenBSD believes in proactive security, that is, fixing problems before they become problems. They regularly undergo code audits and otherwise focus on clean, secure code. More information is available here: http://openbsd.org/security.html
Yeah, right. At what cost? Count downtime and all service costs.
Windows has the same feature, so what?
On Linux you can install libtrash or any other kind of protection, which is much nicer than any filesystem default, so what?
On VAX all the versions were collected, so what??
It is downtime and service needed that counts not someone with EnCase. Problem is that you can do rm / by default and not what it does and not wheter Mac is holy or not.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
Want to trade for a slow intel piece of crap?
That's not offtopic, you're trolling.. How is outsourcing a bad thing? I thought you americans were promoting globalisation, but I guess that's only when you're not the ones getting screwed over. Thanks for the link though, I didn't know if I should laugh or cry when I read this: "Although the legal limit on pay to foreign workers in the USA is around $60,000[...]".
Unplug the power. I mean, we all know the most secure computer is the one that's turned off, right? And of course it should be locked up in a safe in a deep dark cavern protected by a dragon or something.
This is terrible and must be stopped.
I bought a printer two weeks ago. IT TOO CAME BUNDLED WITH A DRIVER.
I notice I was powerless to install another driver to work it, this bundling meant I was not able to get a driver for my Canon from Epson, HP, Netscape, Pioneer or DeWalt.
This is a monopoly!
London-based mi2g Intelligence Unit on Tuesday released a report that says Mac OS X and Berkeley Standard Distribution (BSD) Unix are the "world's safest and most secure 24/7 online computing environments." Linux operating systems offer the worst track record, according to mi2g, with Windows coming in second.
x .php
http://www.macworld.com/news/2004/11/02/mi2g/inde
No.
You're just jealous because the voices only talk to me.
You can specify any keychain file as your default, and it can be anywhere. If that's a CF card in the PCMCIA slot, your keychain is removable. Thumb drives also work, of course, but the CF card doesn't protrude beyond the case.
This is very interesting. The article points out that small businesses and individuals get cracked more than big organizations. It also points out that more people use Windows and Linux than Mac OS X and BSD. I wonder if the numbers take that into account. Are the Linux statistics balanced with the windows counts, etc?
/etc or used a terminal on OS X server or linux they are an idiot. BSD people have no choice :)
I think there might be two problems with the information assuming the numbers are normalized on installs vs succesful compromises. First, Mac OS X is the most widely sold UNIX like OS in the world. Its hard to believe that OS X and BSD counted together is more than Linux. Most other surveys put them at about the same percentage. If you look at servers then linux would blow out OS X and probably BSD. Desktops i think linux would do better than BSDs aside from OS X. Second, it would be nice to see data on how well trained the sys admins were on the systems. Many people don't know linux well enough to properly secure it. An OSX destkop ships in a safer default than most linux distros. In fact, if you look at the bloated distros they ship with several programs that do the same thing. (KDE and Gnome along with software) 4 browsers, 3 email clients, probably 20 text editors, etc. OS X server and Linux are both a pain in the ass for different reasons. I think they give a false sense of security because of the user interface. (graphical and not distros like gentoo or debian that don't include x11 by default) Windows has the same problem. If you meet a windows admin who's never touched the registry then you know they are an idiot. Likewise, if someone hasn't touch a config file in
Obscurity only goes so far. I'd also like to know what caused the linux distros to get attacked. Was it a kernel flaw, service issue, common open source software? For example, many operating systems come with a webserver now (apache or iis). Is there a pattern on services?
I write this on a redhat EL 3.0 workstation install. I've noticed that i get about the same number of security updates in a month for my windows box and this redhat machine. Today i had to install 5 patches to redhat. (last patched a week ago) and i patched windows a few days ago and had 3. My ibook g4 laptop with tiger on it has had about 7 security patches in the last month and countless new versions of software like quicktime, itunes, etc. I've always wondered if apple hides security updates in new versions of software and doesn't tell anyone. My point is that all my operating systems seem to require the same amount of security patching in desktop scenarios. My FreeBSD file server and webservers tend to need 1-2 patches a month as part of the userland and then new versions of software add up for say 20-25 portupgrades a month. And that does not include apache, mysql or php which i manually compile and install.
Numbers without more background are not that helpful.
MidnightBSD: The BSD for Everyone
I skimmed through it, and it's pretty thorough. Great for lab admins to have handy. I do wish they would have mentioned something about chroot for SFTP though.
mi2g Intelligence Unit on Tuesday released a report
Tuesday the ?? November 2004. Got any measure of the malware released since then? After Windoze & Lunix have finished sluggin' it out the OS-X+BSD death rate is right in line with market share, no better, no worse. I'd like to think the users could make it better, but it ain't so
Solaris too, and even everyone's favorite: Windows
c g10.3.1.1
http://www.nsa.gov/snac/downloads_os.cfm?MenuID=s
I had already applied some of the security recommendations, such as enabling security on Open Firmware, but I've just learned there are a plethora of other security options available on Mac OS X 'out of the box'.
There are options in Tigers security preferences that allow swap space to be encrypted and to avoid passwords being accessible in the clear when stored in memory and swapped to disk. Kernel core dumps can be be disabled for similar reasons.
Password policies! I had no idea Tiger could do that.
After going through this article and learning a bit more about how KeyChain works, I've started creating my own keychains to store 'Secure Notes' and I've finally accepted that Safari does do 'auto-logon' securely in the way it uses KeyChain.
This is a very good article.
What you're saying is true (I'm sorry I spent my mod points, you're surely due some). This has been frustrating me about Windows since I was an NT4 admin years back. On the recommendation of a certain famous web designer, I tried out Linux.That really opened up my eyes to the beautifully simple approach Unices take towards multiuser security.
Working in a DevOps shop is like playing in a band made up entirely of keytarists.
Without even R'ing the FA, I can tell you that truly securing the Mac OS is just as easy as truly securing any other OS.
1) Unplug it from any network.
2) Strictly control whoever gets physical access.
3) ???
4) Security!
Seriously... after watching some dipshit try over 4,000 times within the span of a couple hours to attempt buffer overflows on every listening port on my honeypot last Friday afternoon, before I finally blacklisted his entire class C from my router, I've come to the same conclusion that the DoD has... that NO computer connected to the Internet can be made secure... period... that you should only connect disposeable devices to the public Internet.
I even wonder if I'm not the bigger dipshit for sitting there watching this idiot half the afternoon, throwing the kitchen sink at my poor machine in vain, before pulling the plug on him and banishing his whole netblock.
the same "piece of crap" that apple is switching to?
face it: microsoft may suck, but intel (and amd) has given a pretty nice performance/price ratio compared to apple hardware. Maybe it's cause the power pc wasn't manufactured in massive quantities? I don't know.
http://www.bur.st/~paul/securing_mac_os_x.pdf
What does "no open port by default" mean to you?
An OS without *any* open ports can still be vulnerable, by merely having a TCP/IP stack connected to a public network. Even if the stack merely can only respond to ICMP packets (no tcp or udp ports open, nor any other IP protocols enabled), it can still theoretically be vulnerable to DoS attacks via ICMP.
TFA makes no mention whatsoever of disabling ICMP.
Yes, the downtime is a problem. The point I was trying to make is that doing a sudo rm -rf / or its equivalent on any system isn't secure, your files aren't really gone. A lot of people (maybe not people here, but in general) don't realize that. Buy a used hard drive on eBay sometime and see what you can find.
End of Line.
Is FileVault a free software program? I ask because parts of MacOS X are proprietary and parts are free software; if the program is non-free software, then I'd be curious to know how anyone could answer the question about how it encrypts in such a way that the answer would be informative.
Digital Citizen
Does that mean you want to trade?
That is a kind of humorous signature you got yourself there, but should there be question marks following the words "tap"? Does not seem like tapping a keyboard.
is the fact, that it could be replaced with FreeBSD securing guide, but not vice-versa. Hmm.
That is not funny. Would you like it if a random /. reader came to your home and erased your data?
DO NOT RUN THIS COMMAND!!
That report is almost a year old, and is based on data "spanning a period from November, 2003 to October 2004".
Sorry, when it comes to security, I like fresh data...
That report might have been accurate at that very moment in time, but the area of information security is so dynamic, that older reports, such as this one, while insightful, shouldn't be used as a barometer for the present or the future.
But, what if normal user can do it due to the lack of security? Like on OSX.
Although your comment was correct in every aspect, it also failed in every other viewpoint.
It is not the question of security if files are gone or not (if this would be the question then your comment is 100% correct), real question here is "Can they dissapear (even temporarily) due to lack of security and couse loss or downtime?"
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
Like any other Unix system, you should take care who gets sudo access. In the case of OS X, and Admin user can use sudo, while a Standard account can not.
End of Line.
I own 4 laptops and definitelly my OS X is the most secure.
Laptop Security - Anti-theft Tracking and Data Protection: http://www.stealthsignal.com/
Knowing that this was a new development in Tiger, I compared the new config file with an older one from Panther and noticed the line #UsePAM no. Uncommenting this finally disabled passwords, which implies that the default must not be no as indicated. Very odd...
Yep, exactly as I said. You are just as 100% correct, as you are 100% wrong. Result depends on starting viewpoint.
/. article
/" would delete some files just as on OSX, difference is that "sudo rm" is OSX only. Any other *X would delete all user files, not disk. Main difference is how you handle things. If you use filesystem that does not delete files, but just stores a copy then not even "sudo rm -rf /" can't do any damage. This is off course problem laid on admin that takes care of the computer. In all my years being involved in security, I can say you only one thing. "There are two kinds of security parameters, default setup and admin" which takes you to this conclusions.
Question here is if default user (usualy users don't create more separate accounts) is admin:) and if "sudo rm" is possible by default.
Maybe you didn't get it, but joker (as you described parent poster) was aiming at the same sentence (and the same flaw, default user being admin by default, I'm not saying you can't restrict this account) as I did:)
Transcribed from original
Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS.
MOST SECURE DEFAULT INSTALLATIONS???
I hope you get the (joke??? default security flaw???) problem.
In any other *X "rm -rf
1.If default setup is good, then some lazy or incompetent admin can make a fairly secure installation.
2.If default setup is bad thenall responsability lies on admin. (default OSX can be defined in this group, and since most of the OSX users are not guru admins, well here is your answer)
3.If admin is competent (:and not lazy:) then talking about which OS is more secure is more or less impossible
Now, why this book was written by incompetent person?
Personaly, if you ask me how secure is default linux (which is preffered server installation in my case), pretty much about almost fairly secure (for servers I install CentOS) for users, not even thinkable for servers. Why? As long as you use any kind of widely distributed services you are prone to be hacked. Few basic lessons:
1.Obfuscate service names, for example defining apache version in httpd.conf is just a first step to the real approach. Asking server who he is is not the only way to get its version. Any portscanner will report you correct result
2.Use as much of chrooted and user based services as possible
3.Use different than default services
Why OSX lags in security and why it is not a good solution to be used on servers?
1.No role based security (for example selinux)
2.No container based security (Solaris or xen)
Perfect server install would contain not one OS but service based OS instances that correspond to master kernel and are controlled by master role based parameters (this is already possible with xen and selinux, and it will be as default setup on linux from very soon). (Solaris doesn't need xen as much as linux, because it already has containers, but containers are still one step behind xen OS instances).
Now to users (remember, I'm talknig about DEFAULT)
Basic OSX is just as secure as Windows 98. I can make you (in about 5 minutes) a little script that destroys your computer in a state where it is unusable (and to a state you've never seen Windows behave so badly). Almost every OS has its flaws, but I still can't do that as easy (as on OSX) on either Linux or WindowsXP (well I can do that on XP but it will at least need reboot to take effect, nothing easier if default user is admin. Just name some system files to be removed on reboot. It is a typical registry option needed by setup to replace system or used files at reboot because they were locked in the active session. Practicaly you don't do anything illegal, you just use the fact that user is admin and merge a little registry nodes, if user is not admin you can still affect it by the fact that IE service runs with admin privileges, but it is not as simple as it should be. By default user wou
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition