Your SlideShare is downloading. ×
0
OS X security
OS X security
OS X security
OS X security
OS X security
OS X security
OS X security
OS X security
OS X security
OS X security
OS X security
OS X security
OS X security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OS X security

222

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
222
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OS X Security IT Security Analyst – Robert Vinson [email_address] [email_address]
  • 2. Reality Check <ul><li>OS X had a similar number of vulnerabilities patched as Windows last year. </li></ul><ul><li>Rootkits and worms have been developed for OS X. </li></ul><ul><li>OS X machines can be and have been compromised. </li></ul><ul><li>Move to x86 architecture makes OS X a more attractive target to exploit developers. </li></ul><ul><li>The Point: Use Anti-Virus, keep up to date on patches, etc. </li></ul>
  • 3. Physical/Boot Security <ul><li>Location – adequate visual surveillance </li></ul><ul><li>Service Provided – Affects which mitigation steps are realistic </li></ul><ul><li>Desktops </li></ul><ul><ul><li>Open Firmware password </li></ul></ul><ul><ul><li>Case lock </li></ul></ul><ul><ul><li>Disable automatic root login in Single-User mode </li></ul></ul><ul><li>Servers </li></ul><ul><ul><li>Open Firmware password would hinder remote reboot </li></ul></ul>
  • 4. Software Updates <ul><li>System Preferences -&gt; Software Update </li></ul><ul><ul><li>Servers should generally have this disabled. </li></ul></ul><ul><ul><li>Workstations should have daily update checks. </li></ul></ul>
  • 5. Disable Unneeded Services <ul><li>Enumerate open ports </li></ul><ul><ul><li>Netstat </li></ul></ul><ul><ul><li>Port scanner </li></ul></ul><ul><ul><li>Server Admin application </li></ul></ul><ul><li>Disable unneeded services </li></ul><ul><ul><li>Server Admin </li></ul></ul><ul><ul><li>/etc/hostconfig </li></ul></ul>
  • 6. SSH <ul><li>Edit configuration file - /etc/sshd_config </li></ul><ul><li>Disallow root logins </li></ul><ul><li>Add usernames which should be able to connect via the AllowedUsers Directive. </li></ul><ul><li>Utilize firewall to restrict access to the daemon (e.g. perhaps restrict to University and Mediacom IP space only) </li></ul><ul><li>Add the service to xinetd and utilize xinetd throttling capabilites. </li></ul>
  • 7. Permissions <ul><li>OS X Permissions are weak. </li></ul><ul><ul><li>Many world writable/readable directories and even executables! </li></ul></ul><ul><li>Set more restrictive umask </li></ul><ul><ul><li>Can be done via shell initialization files and/or globally </li></ul></ul><ul><li>Audit permissions system wide </li></ul><ul><ul><li>Good place to start: SUID files, world writable/files/directories </li></ul></ul>
  • 8. File Serving <ul><li>AFP - allows for encrypted File transfer. </li></ul><ul><li>NFS - netboot mounts should be exported as read-only and squash root by default. </li></ul><ul><li>SMB – sharing in Windows environments. </li></ul>
  • 9. Firewall <ul><li>OS X uses the IPFW firewall. </li></ul><ul><li>Server Admin can be used to configure the firewall. </li></ul><ul><li>Greater control can be had by editing the /etc/ipfilter/ipfw.conf file. </li></ul><ul><li>IPFW utility can be scripted to open up ports at needed times, etc. </li></ul><ul><li>Utilize the firewall to scope down accessibility to services. </li></ul>
  • 10. Logging <ul><li>Syslog – configuration in /etc/syslog.conf </li></ul><ul><li>/var/log </li></ul><ul><li>Remote logging, as always, is a very good idea. </li></ul><ul><ul><li>Syslog server can be restricted to only accept alerts from certain IP(s) or subnet(s). </li></ul></ul><ul><ul><li>Generally a good idea to have a separate partition for /var or even /var/log on a syslog server </li></ul></ul>
  • 11. User Authentication <ul><li>Utilize Open Directory to set a password policy </li></ul><ul><ul><li>Some Recommended settings </li></ul></ul><ul><ul><ul><li>8 char long passwords </li></ul></ul></ul><ul><ul><ul><li>Require alphanumeric </li></ul></ul></ul><ul><ul><ul><li>Enable expiring passwords </li></ul></ul></ul><ul><ul><ul><li>Enable account locking for failed attempts </li></ul></ul></ul><ul><li>Use pwpolicy to set policy </li></ul>
  • 12. Misc. <ul><li>File Vault </li></ul><ul><li>Disk Utility for fixing permissions </li></ul>
  • 13. References/Resources <ul><li>OS X Benchmark security document - http://www.cisecurity.org </li></ul><ul><li>NSA’s OS X Server Security Configuration guide - http://www.nsa.gov/snac </li></ul><ul><li>Apple – www.apple.com </li></ul>

×