Slashdot Mirror
Securing Mac OS X Tiger
Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."
I put a tiger on a leash once. It didn't work. Don't try this at home, kids!
Ah, good Slashdot.... Now it warns us that TFA is "long", even.
But of course, I don't think anyone ever tries to RTFA, so the thoughtful gesture is lost on us....
If you're going for corporate security, you're probably going to look at every aspect you need to lock down. Security by default matters for 90% of desktop users, but don't you disable services/add firewalls as soon as you set up your OS?
Send email from the afterlife! Write your e-will at Dead Man's Switch.
I remember they did a write up last year about securing OS X Panther.
Nice to see Roy Horn has recovered enough to post on slashdot.
One of the features that this article highlights is the Secure swap space, which allows you to have your swap space encrypted so that it cannot be read either unintentionally or intentionally. FileVault is fairly secure for storing business documentation, etc also. Article is well worth a read for any mac user, and non mac user who may have macs in their environment
Security still depends on the user of the software, even the most secure system can be opened WIDE up if someone chooses (or chooses without knowing) to make it so. You can have everything encrypted, but if your password is easily guessable then your encryption is weak. This goes with the thought that "A system is only as secure as it's weakest point."
Law enforcement agencies annouce that "OS X Tiger" stands in the way of forensic investigation. Story at eleven.
Mildly funny, but also a bit irresponsible without a warning:
Folks, sudo puts you into superuser mode and executes a command, rm. rm removes files, in this case, all of them.
Unless you enjoy completely rebuilding a system and losing all your data files, don't run this command.
Another tip: never enter console commands you don't understand.
http://www.nsa.gov/snac/
M ac_OS_X.pdf
http://www.net-security.org/dl/articles/Securing_
http://eq.rsug.itd.umich.edu/software/radmind/
http://homepage.mac.com/hogfish/PhotoAlbum2.html
Best tip (not a flame) - simply don't run any Microsoft software, support open or other vendors software please, also W3C standards, thanks.
Grab it by the toe.
Wear good earplugs.
I didn't see any mention of disabling this dangerous feature in the article.
By default, OS X stores your password as a nice secure hash. However, it also stores it using Windows' shitty hash method, that takes approximatly 0.000000001 seconds to brute force with John the Ripper.
So it's advisable to somehow disable this functionalty.
No, it doesn't. It just marks as deleted all the inodes for all the files on your disk. Do this, then give the disk to someone with EnCase, and watch them promptly recreate every file on your disk.
End of Line.
Believe me, you haven't missed anything.
.app folder copied by user can be tainted anytime by anyone modifying one single file from terminal.
Yeah, 41 pages long. If you ever read "basic secure your Linux box", well, that's it. I'm dissapointed that a real Mac problem was not addressed. It allows you world writable Applications directory, and
It contains:
Setting password, Displaying warning, locking your firmware (well, this one is the only deviation from "Lock your box for real world dummies"), enabling ACLs, changing user home directories from 022 to 027, tcp_wrappers, xinetd, and other services, file vault, encrypted disk images...
Basicaly the only positive thing I got from reading it, was how insecure default OSX (talking about DEFAULT here, not what is possible. Mac line was always "Just works") really is. It is more or less as secure as Windows 98 with few bugs taken out and few new entred.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
Yeah, right. At what cost? Count downtime and all service costs.
Windows has the same feature, so what?
On Linux you can install libtrash or any other kind of protection, which is much nicer than any filesystem default, so what?
On VAX all the versions were collected, so what??
It is downtime and service needed that counts not someone with EnCase. Problem is that you can do rm / by default and not what it does and not wheter Mac is holy or not.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
Want to trade for a slow intel piece of crap?
Unplug the power. I mean, we all know the most secure computer is the one that's turned off, right? And of course it should be locked up in a safe in a deep dark cavern protected by a dragon or something.
London-based mi2g Intelligence Unit on Tuesday released a report that says Mac OS X and Berkeley Standard Distribution (BSD) Unix are the "world's safest and most secure 24/7 online computing environments." Linux operating systems offer the worst track record, according to mi2g, with Windows coming in second.
x .php
http://www.macworld.com/news/2004/11/02/mi2g/inde
You can specify any keychain file as your default, and it can be anywhere. If that's a CF card in the PCMCIA slot, your keychain is removable. Thumb drives also work, of course, but the CF card doesn't protrude beyond the case.
This is very interesting. The article points out that small businesses and individuals get cracked more than big organizations. It also points out that more people use Windows and Linux than Mac OS X and BSD. I wonder if the numbers take that into account. Are the Linux statistics balanced with the windows counts, etc?
/etc or used a terminal on OS X server or linux they are an idiot. BSD people have no choice :)
I think there might be two problems with the information assuming the numbers are normalized on installs vs succesful compromises. First, Mac OS X is the most widely sold UNIX like OS in the world. Its hard to believe that OS X and BSD counted together is more than Linux. Most other surveys put them at about the same percentage. If you look at servers then linux would blow out OS X and probably BSD. Desktops i think linux would do better than BSDs aside from OS X. Second, it would be nice to see data on how well trained the sys admins were on the systems. Many people don't know linux well enough to properly secure it. An OSX destkop ships in a safer default than most linux distros. In fact, if you look at the bloated distros they ship with several programs that do the same thing. (KDE and Gnome along with software) 4 browsers, 3 email clients, probably 20 text editors, etc. OS X server and Linux are both a pain in the ass for different reasons. I think they give a false sense of security because of the user interface. (graphical and not distros like gentoo or debian that don't include x11 by default) Windows has the same problem. If you meet a windows admin who's never touched the registry then you know they are an idiot. Likewise, if someone hasn't touch a config file in
Obscurity only goes so far. I'd also like to know what caused the linux distros to get attacked. Was it a kernel flaw, service issue, common open source software? For example, many operating systems come with a webserver now (apache or iis). Is there a pattern on services?
I write this on a redhat EL 3.0 workstation install. I've noticed that i get about the same number of security updates in a month for my windows box and this redhat machine. Today i had to install 5 patches to redhat. (last patched a week ago) and i patched windows a few days ago and had 3. My ibook g4 laptop with tiger on it has had about 7 security patches in the last month and countless new versions of software like quicktime, itunes, etc. I've always wondered if apple hides security updates in new versions of software and doesn't tell anyone. My point is that all my operating systems seem to require the same amount of security patching in desktop scenarios. My FreeBSD file server and webservers tend to need 1-2 patches a month as part of the userland and then new versions of software add up for say 20-25 portupgrades a month. And that does not include apache, mysql or php which i manually compile and install.
Numbers without more background are not that helpful.
MidnightBSD: The BSD for Everyone
I skimmed through it, and it's pretty thorough. Great for lab admins to have handy. I do wish they would have mentioned something about chroot for SFTP though.
I had already applied some of the security recommendations, such as enabling security on Open Firmware, but I've just learned there are a plethora of other security options available on Mac OS X 'out of the box'.
There are options in Tigers security preferences that allow swap space to be encrypted and to avoid passwords being accessible in the clear when stored in memory and swapped to disk. Kernel core dumps can be be disabled for similar reasons.
Password policies! I had no idea Tiger could do that.
After going through this article and learning a bit more about how KeyChain works, I've started creating my own keychains to store 'Secure Notes' and I've finally accepted that Safari does do 'auto-logon' securely in the way it uses KeyChain.
This is a very good article.
Without even R'ing the FA, I can tell you that truly securing the Mac OS is just as easy as truly securing any other OS.
1) Unplug it from any network.
2) Strictly control whoever gets physical access.
3) ???
4) Security!
Seriously... after watching some dipshit try over 4,000 times within the span of a couple hours to attempt buffer overflows on every listening port on my honeypot last Friday afternoon, before I finally blacklisted his entire class C from my router, I've come to the same conclusion that the DoD has... that NO computer connected to the Internet can be made secure... period... that you should only connect disposeable devices to the public Internet.
I even wonder if I'm not the bigger dipshit for sitting there watching this idiot half the afternoon, throwing the kitchen sink at my poor machine in vain, before pulling the plug on him and banishing his whole netblock.
What does "no open port by default" mean to you?
An OS without *any* open ports can still be vulnerable, by merely having a TCP/IP stack connected to a public network. Even if the stack merely can only respond to ICMP packets (no tcp or udp ports open, nor any other IP protocols enabled), it can still theoretically be vulnerable to DoS attacks via ICMP.
TFA makes no mention whatsoever of disabling ICMP.
That is not funny. Would you like it if a random /. reader came to your home and erased your data?
DO NOT RUN THIS COMMAND!!