OS X security


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

OS X security

  1. 1. OS X Security IT Security Analyst – Robert Vinson [email_address] [email_address]
  2. 2. Reality Check <ul><li>OS X had a similar number of vulnerabilities patched as Windows last year. </li></ul><ul><li>Rootkits and worms have been developed for OS X. </li></ul><ul><li>OS X machines can be and have been compromised. </li></ul><ul><li>Move to x86 architecture makes OS X a more attractive target to exploit developers. </li></ul><ul><li>The Point: Use Anti-Virus, keep up to date on patches, etc. </li></ul>
  3. 3. Physical/Boot Security <ul><li>Location – adequate visual surveillance </li></ul><ul><li>Service Provided – Affects which mitigation steps are realistic </li></ul><ul><li>Desktops </li></ul><ul><ul><li>Open Firmware password </li></ul></ul><ul><ul><li>Case lock </li></ul></ul><ul><ul><li>Disable automatic root login in Single-User mode </li></ul></ul><ul><li>Servers </li></ul><ul><ul><li>Open Firmware password would hinder remote reboot </li></ul></ul>
  4. 4. Software Updates <ul><li>System Preferences -> Software Update </li></ul><ul><ul><li>Servers should generally have this disabled. </li></ul></ul><ul><ul><li>Workstations should have daily update checks. </li></ul></ul>
  5. 5. Disable Unneeded Services <ul><li>Enumerate open ports </li></ul><ul><ul><li>Netstat </li></ul></ul><ul><ul><li>Port scanner </li></ul></ul><ul><ul><li>Server Admin application </li></ul></ul><ul><li>Disable unneeded services </li></ul><ul><ul><li>Server Admin </li></ul></ul><ul><ul><li>/etc/hostconfig </li></ul></ul>
  6. 6. SSH <ul><li>Edit configuration file - /etc/sshd_config </li></ul><ul><li>Disallow root logins </li></ul><ul><li>Add usernames which should be able to connect via the AllowedUsers Directive. </li></ul><ul><li>Utilize firewall to restrict access to the daemon (e.g. perhaps restrict to University and Mediacom IP space only) </li></ul><ul><li>Add the service to xinetd and utilize xinetd throttling capabilites. </li></ul>
  7. 7. Permissions <ul><li>OS X Permissions are weak. </li></ul><ul><ul><li>Many world writable/readable directories and even executables! </li></ul></ul><ul><li>Set more restrictive umask </li></ul><ul><ul><li>Can be done via shell initialization files and/or globally </li></ul></ul><ul><li>Audit permissions system wide </li></ul><ul><ul><li>Good place to start: SUID files, world writable/files/directories </li></ul></ul>
  8. 8. File Serving <ul><li>AFP - allows for encrypted File transfer. </li></ul><ul><li>NFS - netboot mounts should be exported as read-only and squash root by default. </li></ul><ul><li>SMB – sharing in Windows environments. </li></ul>
  9. 9. Firewall <ul><li>OS X uses the IPFW firewall. </li></ul><ul><li>Server Admin can be used to configure the firewall. </li></ul><ul><li>Greater control can be had by editing the /etc/ipfilter/ipfw.conf file. </li></ul><ul><li>IPFW utility can be scripted to open up ports at needed times, etc. </li></ul><ul><li>Utilize the firewall to scope down accessibility to services. </li></ul>
  10. 10. Logging <ul><li>Syslog – configuration in /etc/syslog.conf </li></ul><ul><li>/var/log </li></ul><ul><li>Remote logging, as always, is a very good idea. </li></ul><ul><ul><li>Syslog server can be restricted to only accept alerts from certain IP(s) or subnet(s). </li></ul></ul><ul><ul><li>Generally a good idea to have a separate partition for /var or even /var/log on a syslog server </li></ul></ul>
  11. 11. User Authentication <ul><li>Utilize Open Directory to set a password policy </li></ul><ul><ul><li>Some Recommended settings </li></ul></ul><ul><ul><ul><li>8 char long passwords </li></ul></ul></ul><ul><ul><ul><li>Require alphanumeric </li></ul></ul></ul><ul><ul><ul><li>Enable expiring passwords </li></ul></ul></ul><ul><ul><ul><li>Enable account locking for failed attempts </li></ul></ul></ul><ul><li>Use pwpolicy to set policy </li></ul>
  12. 12. Misc. <ul><li>File Vault </li></ul><ul><li>Disk Utility for fixing permissions </li></ul>
  13. 13. References/Resources <ul><li>OS X Benchmark security document - http://www.cisecurity.org </li></ul><ul><li>NSA’s OS X Server Security Configuration guide - http://www.nsa.gov/snac </li></ul><ul><li>Apple – www.apple.com </li></ul>