OS X security - Information Security and Policy Office

Download Report

Transcript OS X security - Information Security and Policy Office 

OS X Security
IT Security Analyst – Robert Vinson
[email protected]
[email protected]
Reality Check





OS X had a similar number of vulnerabilities
patched as Windows last year.
Rootkits and worms have been developed for
OS X.
OS X machines can be and have been
compromised.
Move to x86 architecture makes OS X a more
attractive target to exploit developers.
The Point: Use Anti-Virus, keep up to date on
patches, etc.
Physical/Boot Security



Location – adequate visual surveillance
Service Provided – Affects which mitigation
steps are realistic
Desktops
 Open
Firmware password
 Case lock
 Disable automatic root login in Single-User mode

Servers
 Open
Firmware password would hinder remote reboot
Software Updates

System Preferences -> Software Update
 Servers
should generally have this disabled.
 Workstations should have daily update
checks.
Disable Unneeded Services

Enumerate open ports
 Netstat
 Port
scanner
 Server Admin application

Disable unneeded services
 Server Admin
 /etc/hostconfig
SSH





Edit configuration file - /etc/sshd_config
Disallow root logins
Add usernames which should be able to connect
via the AllowedUsers Directive.
Utilize firewall to restrict access to the daemon
(e.g. perhaps restrict to University and
Mediacom IP space only)
Add the service to xinetd and utilize xinetd
throttling capabilites.
Permissions

OS X Permissions are weak.
 Many
world writable/readable directories and even
executables!

Set more restrictive umask
 Can

be done via shell initialization files and/or globally
Audit permissions system wide
 Good
place to start: SUID files, world
writable/files/directories
File Serving
AFP - allows for encrypted File transfer.
 NFS - netboot mounts should be exported
as read-only and squash root by default.
 SMB – sharing in Windows environments.

Firewall





OS X uses the IPFW firewall.
Server Admin can be used to configure the
firewall.
Greater control can be had by editing the
/etc/ipfilter/ipfw.conf file.
IPFW utility can be scripted to open up ports at
needed times, etc.
Utilize the firewall to scope down accessibility to
services.
Logging



Syslog – configuration in /etc/syslog.conf
/var/log
Remote logging, as always, is a very good idea.
 Syslog
server can be restricted to only accept alerts
from certain IP(s) or subnet(s).
 Generally a good idea to have a separate partition for
/var or even /var/log on a syslog server
User Authentication

Utilize Open Directory to set a password
policy
 Some
Recommended settings
8 char long passwords
 Require alphanumeric
 Enable expiring passwords
 Enable account locking for failed attempts


Use pwpolicy to set policy
Misc.
File Vault
 Disk Utility for fixing permissions

References/Resources
OS X Benchmark security document http://www.cisecurity.org
 NSA’s OS X Server Security Configuration
guide - http://www.nsa.gov/snac
 Apple – www.apple.com
