OS X security
Upcoming SlideShare
Loading in...5
×
 

OS X security

on

  • 399 views

 

Statistics

Views

Total Views
399
Slideshare-icon Views on SlideShare
399
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    OS X security OS X security Presentation Transcript

    • OS X Security IT Security Analyst – Robert Vinson [email_address] [email_address]
    • Reality Check
      • OS X had a similar number of vulnerabilities patched as Windows last year.
      • Rootkits and worms have been developed for OS X.
      • OS X machines can be and have been compromised.
      • Move to x86 architecture makes OS X a more attractive target to exploit developers.
      • The Point: Use Anti-Virus, keep up to date on patches, etc.
    • Physical/Boot Security
      • Location – adequate visual surveillance
      • Service Provided – Affects which mitigation steps are realistic
      • Desktops
        • Open Firmware password
        • Case lock
        • Disable automatic root login in Single-User mode
      • Servers
        • Open Firmware password would hinder remote reboot
    • Software Updates
      • System Preferences -> Software Update
        • Servers should generally have this disabled.
        • Workstations should have daily update checks.
    • Disable Unneeded Services
      • Enumerate open ports
        • Netstat
        • Port scanner
        • Server Admin application
      • Disable unneeded services
        • Server Admin
        • /etc/hostconfig
    • SSH
      • Edit configuration file - /etc/sshd_config
      • Disallow root logins
      • Add usernames which should be able to connect via the AllowedUsers Directive.
      • Utilize firewall to restrict access to the daemon (e.g. perhaps restrict to University and Mediacom IP space only)
      • Add the service to xinetd and utilize xinetd throttling capabilites.
    • Permissions
      • OS X Permissions are weak.
        • Many world writable/readable directories and even executables!
      • Set more restrictive umask
        • Can be done via shell initialization files and/or globally
      • Audit permissions system wide
        • Good place to start: SUID files, world writable/files/directories
    • File Serving
      • AFP - allows for encrypted File transfer.
      • NFS - netboot mounts should be exported as read-only and squash root by default.
      • SMB – sharing in Windows environments.
    • Firewall
      • OS X uses the IPFW firewall.
      • Server Admin can be used to configure the firewall.
      • Greater control can be had by editing the /etc/ipfilter/ipfw.conf file.
      • IPFW utility can be scripted to open up ports at needed times, etc.
      • Utilize the firewall to scope down accessibility to services.
    • Logging
      • Syslog – configuration in /etc/syslog.conf
      • /var/log
      • Remote logging, as always, is a very good idea.
        • Syslog server can be restricted to only accept alerts from certain IP(s) or subnet(s).
        • Generally a good idea to have a separate partition for /var or even /var/log on a syslog server
    • User Authentication
      • Utilize Open Directory to set a password policy
        • Some Recommended settings
          • 8 char long passwords
          • Require alphanumeric
          • Enable expiring passwords
          • Enable account locking for failed attempts
      • Use pwpolicy to set policy
    • Misc.
      • File Vault
      • Disk Utility for fixing permissions
    • References/Resources
      • OS X Benchmark security document - http://www.cisecurity.org
      • NSA’s OS X Server Security Configuration guide - http://www.nsa.gov/snac
      • Apple – www.apple.com