OS X security
Upcoming SlideShare
Loading in...5

OS X security






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

OS X security OS X security Presentation Transcript

  • OS X Security IT Security Analyst – Robert Vinson [email_address] [email_address]
  • Reality Check
    • OS X had a similar number of vulnerabilities patched as Windows last year.
    • Rootkits and worms have been developed for OS X.
    • OS X machines can be and have been compromised.
    • Move to x86 architecture makes OS X a more attractive target to exploit developers.
    • The Point: Use Anti-Virus, keep up to date on patches, etc.
  • Physical/Boot Security
    • Location – adequate visual surveillance
    • Service Provided – Affects which mitigation steps are realistic
    • Desktops
      • Open Firmware password
      • Case lock
      • Disable automatic root login in Single-User mode
    • Servers
      • Open Firmware password would hinder remote reboot
  • Software Updates
    • System Preferences -> Software Update
      • Servers should generally have this disabled.
      • Workstations should have daily update checks.
  • Disable Unneeded Services
    • Enumerate open ports
      • Netstat
      • Port scanner
      • Server Admin application
    • Disable unneeded services
      • Server Admin
      • /etc/hostconfig
  • SSH
    • Edit configuration file - /etc/sshd_config
    • Disallow root logins
    • Add usernames which should be able to connect via the AllowedUsers Directive.
    • Utilize firewall to restrict access to the daemon (e.g. perhaps restrict to University and Mediacom IP space only)
    • Add the service to xinetd and utilize xinetd throttling capabilites.
  • Permissions
    • OS X Permissions are weak.
      • Many world writable/readable directories and even executables!
    • Set more restrictive umask
      • Can be done via shell initialization files and/or globally
    • Audit permissions system wide
      • Good place to start: SUID files, world writable/files/directories
  • File Serving
    • AFP - allows for encrypted File transfer.
    • NFS - netboot mounts should be exported as read-only and squash root by default.
    • SMB – sharing in Windows environments.
  • Firewall
    • OS X uses the IPFW firewall.
    • Server Admin can be used to configure the firewall.
    • Greater control can be had by editing the /etc/ipfilter/ipfw.conf file.
    • IPFW utility can be scripted to open up ports at needed times, etc.
    • Utilize the firewall to scope down accessibility to services.
  • Logging
    • Syslog – configuration in /etc/syslog.conf
    • /var/log
    • Remote logging, as always, is a very good idea.
      • Syslog server can be restricted to only accept alerts from certain IP(s) or subnet(s).
      • Generally a good idea to have a separate partition for /var or even /var/log on a syslog server
  • User Authentication
    • Utilize Open Directory to set a password policy
      • Some Recommended settings
        • 8 char long passwords
        • Require alphanumeric
        • Enable expiring passwords
        • Enable account locking for failed attempts
    • Use pwpolicy to set policy
  • Misc.
    • File Vault
    • Disk Utility for fixing permissions
  • References/Resources
    • OS X Benchmark security document - http://www.cisecurity.org
    • NSA’s OS X Server Security Configuration guide - http://www.nsa.gov/snac
    • Apple – www.apple.com