1. Physical Security
2. Protecting against Viruses and Worms
3. Securing Accounts and Account Access
4. Protecting against Unauthorized Privilege Use
5. File System and Sharing Security
6. Securing Services
7. Deleting Unnecessary Accounts
8. Configuring Logging
9. Patching Your System
10. Other Mac OS X Server Security Tips
11. Conclusion
12. Online Resources

_____________

A. Physical Security

[ ] Implement physical security measures such as a keyboard lock, a locking encasement, and placing the system in a server room with restricted access.

Mac OS X is defenseless against local attacks unless at least some physical security measures are in place. Someone who gains physical access to a Mac can, for instance, plug in an alternate boot device such as a FireWire hard drive and then boot from it. A boot off of a Mac OS 9 CD in the internal optical drive also allows full access to every partition that is formatted with the HFS+[1] file system. Additionally, booting with a CD can allow anyone access to the password reset program on the Mac OS X installation CD.

[ ] Purchase and install software such as Startup Security to guard against unauthorized single-user boots, or disable singe-user mode altogether.

By pressing the "Command" and "s" keys during startup, your Mac OS X system will boot in “single user mode,” giving anyone who starts the boot sequence root access without having to enter any password. Needless to say, this is a potential security catastrophe. Startup Security allows the system administrator to set a password that must be entered upon boot-up and when a Mac comes out of sleep, allows booting only from a designated device, and other control features.

Another good countermeasure is to download and install MSEC, a free patch that disables single-user boots altogether.

An alternative is to enable Apple's Open Firmware Password Protection, which requires a password for each single-user boot. SecureMac.com describes how to enable this password protection with Apple’s Open Firmware Password, a GUI utility.

[ ] Enable password protection in your system's screen saver.

Unattended terminals spell security trouble regardless of the particular operating system. Go to System Preferences > Screen Effects > Activation > Use my User Account Password. Make the delay period small, e.g., 5 minutes and create a hot-corner for instant activation of the screen saver in the "Hot Corners" tab in case you ever need to activate the screen saver immediately. To do this go to Screen Effects > Hot Corners > Activation.

[ ] (Optional) Change the security mode parameter in Open Firmware from "none" to "command" or "full."

Changing the security mode parameter in Open Firmware to "command" will limit the commands that can be initially entered to "go" and "boot" and will not allow any arguments to be entered with "boot." Changing this parameter to "full" requires that a password be entered before a command can be entered, any parameters can be changed, or a boot using special keys (to boot from a device such as a CD-ROM or in a special mode such as single-user mode) can occur. Use Open Firmware Password to make this change.

B. Protecting Against Viruses and Worms

[ ] Download and install the Lab’s free antivirus software for Mac OS X.

Although Windows systems are overwhelmingly the most common targets of viruses and worms, no Mac system is immune from these types of malicious code, as proven by the success of the Mac/Simpsons@MM worm in Macs just a few years ago. See http://www.lbl.gov/ITSD/Security/systems/mac.html#viruses for information about viruses and worms that can infect Macs. More viruses and worms that specifically target Mac OS X are likely in time. Additionally, there already are several Trojan horse programs that target Mac OS X systems that anti-virus software will detect and eradicate. Norton Anti-virus for MacOS X[2] is available to LBNL users for free at http://www.lbl.gov/download/. Note that you need to install only one copy of Norton AV on your Mac—this copy will cover Mac OS X and the Classic environment it uses.

[ ] Ensure that you set up a scheduled Norton AV update and scan a minimum of once a week.

To schedule Norton AV definitions updates on your Mac:

1. Launch Norton AntiVirus
2. Click on the Live Update button in the main window
3. Click on the Schedule Future Updates icon
4. Click on New to create a new event, and type in a name for the event
5. Go to the pull-down menus, choose the type of update and how often the update will occur
6. Enter the start date and the time the update is to occur
   Click OK.

To schedule a scan:

1. Launch Norton AntiVirus
2. Click on the Scheduled Scan button
3. Click on New Scheduled Scan
4. Enter the date and time
5. Click OK.

Note: Selecting different times for automatic scanning and updating virus definitions updates is important. Updating definitions takes only a few minutes, but automatic scans take quite a while, something that will slow your computer down.

C. Securing Accounts and Account Access

[ ] Install a warning banner and ensure that it is displayed at the start of every login attempt.

To display a warning banner, perform the following steps:

1. Download the security warning 1.0 Stuffit archive, and unstuff it with Stuffit Expander.
   
2. Drag the security warning 1.0 application to your OS X Applications folder.
   
3. Open up System Preferences, and select the Login Items preference pane. You will see a list of items (if any) that are set to run automatically when you log in. Click on Add... Select the security warning 1.0 application and click on the Add button. Leave the Hide box unchecked and quit System Preferences.

If you have more than one user account enabled, you will need to repeat step 3 when logged in as each user.

[ ] Ensure that all passwords for all other accounts are difficult to guess/crack. Guidelines for choosing a good password are at http://www.lbl.gov/cyber/systems/passwords.html#choose.

To change a password:

1. Go to System Preferences -> Accounts and double-click on Accounts, as shown in the figure below:
   
   
   

   Figure 1. System Preferences screen.

   
   
2. Highlight the account for which you want to change the password, as shown in the figure below:
   
   
   

   Figure 2. Accounts screen.
   
   

3. A dialog box (see figure below) will appear. Enter the current password for the account.
   
   
   

   Figure 3. Password dialog box.

   
   
4. Another dialog box that informs you that your Keychain password will be changed to be the same as your changed password will appear (see figure below). Click OK.
   
   
   
   

   Figure 4. Accounts screen.

   
   
5. Now enter the new password in the field to the right of "Password" and enter it again in the field to the right of "Verify," and then press <ENTER>
   
   
   

Figure 5. Keychain password change confirmation.

[ ] Ensure that the password for the root and also for the administrator account is difficult to guess and is 8 characters long.

The administrator account and root account are the two default accounts in Mac OS X (although the root account is disabled by default in Mac OS X Client). These two accounts are the most important two accounts on your system; anyone who breaks into either can cause incredible damage and trouble. That is why having a very difficult to guess and fairly long password (8 characters) is so important! When you login to the administrator account for the first time, you can not only set its password, but can also set the password for the root account. To change the password for either account at any time, use the Mac OS X command shell (via Terminal) to su to that account and then enter passwd.[3] You can also manage passwords for enabled accounts in the Accounts pane in System Preferences. (You’ll have to enter the new password twice for the change to go into effect.)

Note: Entering a root password longer than 8 characters does not do any good—the maximum password length is 8 characters.

[ ] Download and run John the Ripper or Crack to test passwords once a month and get users whose passwords are cracked to change them to something better. (Caution: Do this only if you are the authorized system administrator; otherwise, doing this constitutes a security policy violation per the LBNL RPM, Section 9!) Obtain John the Ripper and an extension that enables it to work on Mac OS X.

Anyone who has access to your Mac OS X system may be able to obtain a copy of the password file and then run a password cracking tool for as long as it takes to crack your password. Additionally, there are no built-in functions to reject bad (easy-to-guess) passwords that users try to enter. It is thus very important to identify passwords that are easily crackable and get users to change them before passwords can be cracked by unauthorized persons.

D. Protecting against Unauthorized Privilege Use

[ ] Allow only the people who genuinely need superuser access to login or su to the administrator and root accounts.

The more people with superuser access, the more likely either someone will break in to one of these accounts or use it maliciously or incompetently, damaging your system. Verify that members of the wheel group (the group that is allowed to use the su command to obtain a root shell) in /etc/group genuinely need superuser access; delete the names of any users who are not from this group.

Warning: The Accounts panel in System Preferences is one way of managing user accounts in Mac OS X. A check box for each user account specifies whether that user can or cannot administer the system. If the wrong box is accidentally checked, an everyday user could have superuser privileges on your Mac OS X system!

[ ] Use sudo[4] for users who need to run certain privileged programs but who do not need full administrator or root privileges.

sabrina CSNETS = (operator) /system/local/op_commands/

[ ] Look for .rhosts files and delete them altogether if they are not necessary, or if they are necessary, keep the entries in them to a bare minimum.

.rhosts files allow any trusted user listed in them to login to your system, by default without even having to enter a password. Although doing so is convenient, it is a very bad thing for security. An attacker needs only to find the name of the host or account that is trusted to gain access to a trusting host. Besides, your Mac OS X system has secure shell (ssh), which provides encrypted sessions and offers much stronger authentication than can be obtained through trusted access. To find .rhosts files, enter:

#find / -name .rhosts -print

[ ] Turn off the automatic login capability.

Once the administrator account is created and configured, the system administrator has the option of not having to enter any password to login into that account after the system boots. This option is potentially catastrophic from a security perspective; it should thus be disabled. Go to System Preferences and then choose the Login icon and then uncheck “Automatically log in” in the “Login Window” tab of the Login Preference pane. Depending on how you receive the default install of Mac OS X, it may be set to automatically log in a user upon startup. This is generally considered contrary to good security policy.

Warning: Depending on your system’s particular release of Mac OS X, the automatic login capability may be enabled on your system by default!

E. File System and Sharing Security

[ ] If you do not need to share files, turn off file sharing altogether. If you need file sharing, ensure that no folder other than your Public folder or a securely configured sharing folder is shared. Don't allow open share folders (share folders to which everyone can write).

By default, Mac OS X permissions allow remote read access to each user's Public folder if file sharing is enabled. It is best to not enable file sharing at all, provided, of course, that you do not need to share files with other users.

To turn file sharing off:

1. Go to System Preferences -> Sharing (see screen below, the "Internet and Network" section).



Figure 1. System Preferences screen.

2. From the "Sharing" screen, select "Personal File Sharing" (see screen below) and click on the Stop button at the right.



Figure 2. Setting Personal File Sharing.

"Personal File Sharing" should now look like this (see screen below):



Figure 3. Personal File Sharing disabled.

If you need to enable file sharing, do not allow any more than the default read access to the Public folder. (Go to Utilities > Workgroup Manager > View > Sharing and make sure the only sharepoint listed is Users.) Unless your users need their drop boxes to collect files from others with whom they are collaborating, change the drop box permissions for each user to “read only” to prevent the drop box from becoming a Warez server. Don't allow guests to connect to any folder.

[ ] Ensure that no files on any UFS partition are world-writeable (e.g, with a permission of XX2, XX3, XX6 or XX7, where the first X represents the owner’s permission and the second represents the group owner’s) unless they are part of a drop-in directory intended for the public (a highly unusual situation). If several users need to write to one or more files, create a new group in /etc/group and then allow write access to that group instead.

To obtain a list of files that are world-writeable, bring up a command prompt and then enter:

# find / -perm -002 -type f -print

To change world-writeable files’ permissions to deny world write access, enter:

# chmod o-w <file>[5]

[ ] Ensure that no files on any UFS partition containing sensitive or protected information are either world-writeable or world-readable.

The command to check whether files are world-writeable appears a few lines above. To check whether files are world-readable, bring up a command prompt and then enter:

# find / -perm -004 -type f –print

To change world-readable files’ permissions to deny world-read access, enter:

# chmod o-r <file>

[ ] Whenever possible, avoid setting AFP (Apple File Protocol) permissions to allow universal write access to folders.

You can see and change the permissions on a folder by selecting it and running the Get Info command (command-I). The only exception to this rule is drop-in directories, as discussed previously.

[ ] Check for unnecessary set user ID (SUID) and set group ID (SGID) to root binaries on all UFS partitions at least once a month.

SUID and SGID binaries execute with root privileges, providing one of the most commonly used ways for an unprivileged user to gain root privileges. Unfortunately, a default installation of Mac OS X results in quite a few SUID and SGID binaries. Deleting any default binaries can spell catastrophe for your system. A safer solution is removing the SUID or SGID bit from binaries that do not need to be SUID or SGID. Additionally, attackers can install Trojan SUID and SGID binaries to elevate privileges and/or gain back door access to systems. It is important, therefore, to look for all SUID and SGID programs to verify that each is legitimate and necessary. To check for SUID root binaries, enter:

# find / -user root -perm -4000 –print

To check for SGID root binaries, enter:

# find / -user root -perm -2000 –print

To change programs to no longer be SUID/SGID, enter:

# chmod 0XXX <file>

Note: The following binaries generally run SUID root, but they are usually unnecessary in modern Unix systems, and thus should be deleted (unless there is a specific reason not to do so):

• /bin/rcp
• /sbin/rdump
• /sbin/rrestore
• /usr/bin/chfn
• /usr/bin/chpass
• /usr/bin/rlogin
• /usr/bin/rsh
• /usr/bin/chsh
• /usr/sbin/sendmail
• /usr/sbin/sliplogin

The following programs generally run SUID root, but probably do not need to do so. It is thus normally safe to remove the SUID bit from these binaries:

• /sbin/dump
• /sbin/ping
• /sbin/restore
• /sbin/route
• /usr/bin/at
• /usr/bin/atq
• /usr/bin/atrm
• /usr/bin/batch
• /usr/bin/crontab
• /usr/sbin/netstat

The following binaries run SGID root, but probably do not need to do so. It is thus normally safe to remove the SGID bit from these binaries:

• /sbin/dump
• /sbin/rdump
• /sbin/restore
• /sbin/rrestore
• /usr/bin/wall
• /usr/bin/write

[ ] Check to see if the sticky bit is set on the tmp directory; set it if it isn’t.

Setting the sticky bit prevents users other than the owner of files in a temporary directory for which the sticky bit is set from removing or renaming the files in that directory. To check whether the sticky bit is set on the /tmp directory, enter:

# ls -ldg /tmp
drwxrwxrwt 1 root root 256 July 23 2003 /tmp

(Note: A “t” is listed in the output to show that the sticky bit is set.)

To set the sticky bit on /tmp, enter:

# chmod 1XXX /tmp OR # chmod o+t /tmp

F. Securing Services

[ ] Leave services that you do not need to use disabled. Do not enable additional services such as FTP (unless your system needs to run an FTP server), HTTPD (unless your system needs to run a Web server), named, telnetd, rlogin, rsh, and rexec.

The more services you run, the more ways there are for attackers to hammer your Mac OS X system. Fortunately, in a default installation of Mac OS X, every Internet service is disabled by default.[6] To obtain a list of services running on your system that can be accessed by remote systems, bring up a command prompt and then enter:

cat /etc/inetd.conf

Inserting an asterisk at the beginning of the line for any service that does not need to be available to remote users will now make that service remotely unavailable. (Note: You would also do well to check all startup scripts and script execution files such as /etc/rc, /etc/rc.common, /System/Library/StartupItems/directory, and /etc/hostconfig to ensure that services and programs you do not need are not starting up in the first place. Changing “YES” to “NO” or inserting an asterisk at the beginning of the line for a particular service or program will keep it from starting up. For example, if your system runs a mail server but does not need to (because in most cases users need only to read and send mail on their Mac OS X system), changing the “YES” to “NO” in the “sendmail_enable” entry in /etc/rc will turn off the sendmail server:

sendmail_enable="NO"

Now enter ps –aux and find the PID (process ID) number for sendmail, and then enter:

kill –9 <PID> (Note: do not actually enter the angle brackets.)

If you do not need the remote login service, disable it:

1. Go System Preferences -> Sharing and double click on Sharing, as shown in the screen below:
   
   


Figure 1. System Preferences screen.



2. Highlight "Remote Logon" and then Click on "Stop" next to "Remote Login On" (see figure below).
   
   
   
   

   Figure 2. Sharing screen.
   
   

3. Now uncheck "On" for Remote Login, per the screen below:
   
   
   
   

   Figure 3. Sharing screen.

[ ] Enable sshd and use the ssh command[7] to remotely connect to your Mac OS X system.

Since using SSH is the most secure way to remotely access a Mac OS X system, be sure to enable SSHD if you need remote access to it. Go to View > Sharing > Services and select Remote Login. Now go back to Firewall and select Remote Login - SSH (22).

Be sure to run a very recent version of OpenSSH, ideally version 3.7.x, because older versions of OpenSSH tend to have more vulnerabilities than newer versions. If your system’s OpenSSH version is not current, you’ll need to download a current one from OpenSSH, and then compile it.

[ ] Configure the built-in TCP wrapper to allow connections only from IP addresses, or IP address ranges that you know need to connect to your Mac OS X system.

The TCP wrapper (usr/libexec/tcpd) causes the inet daemon (inetd) to go to configuration files (/etc/hosts.allow and /etc/hosts.deny) to determine whether or not to allow each incoming service request. It also logs each request. Although the TCP wrapper is built-in, by default it is disabled. To enable the wrapper, you have to create the /etc/hosts.allow and /etc/hosts.deny configuration files by entering:

touch /etc/hosts.allow /etc/hosts.deny

It is best to deny any access that is not explicitly allowed. Do this by adding the following entry to /etc/hosts.deny:

ALL:ALL

In /etc/hosts.allow, list the hosts and domains that are the exceptions to the “deny all” rule on a per service basis. Create one line for each entry. For example, the following allows any machine within lbl.gov to use FTP to connect to your Mac OS X system:

ftpd:lbl.gov

(Warning: If you do not create an /etc/hosts.deny file with the ALL:ALL entry, the TCP wrapper will allow all access attempts regardless of the entries in /etc/hosts.allow!)

G. Deleting Unnecessary Accounts

[ ] Delete unnecessary accounts of users who no longer need access to your system, and accounts that have been dormant for 90 days or more.

Unnecessary accounts are big targets for attackers, who try to break into these accounts by guessing one password after another in a "brute force" attack without anyone noticing. To delete any unnecessary account, do the following:

1. Go to System Preferences -> Accounts (see screen below).



Figure 1. System Preferences screen.

2. The names of accounts will be listed. Double click on the name of the account to be deleted, as shown in the screen below.



Figure 2. Accounts screen.

A prompt that reads, "Are you sure you want to delete the user account?" will appear, as shown in the screen below.



Figure 3. Account deletion prompt.

3. Click OK.



4. Repeat this procedure for any additional unnecessary accounts.

H. Configuring Logging

[ ] Increase the amount of syslog logging.

Syslog is the system logging, a very flexible type of logging that can record a wide range of events, such as bad login and su attempts, debugging errors, and so on. To configure system logging, add the following lines to /etc/syslog.conf:

kern.* /var/log/kernel
*.warn;*.err /var/log/syslog
*.err @<loghost_address>
authpriv.*;auth.* @<loghost_address>

[ ] Create /var/log/syslog and /var/log/kernel if they do not already exist, and set the permissions for both to 600.

Your system will need the appropriate files to send syslog data; you need to create these files and to protect them with appropriate permissions. To create these files, enter:

# touch /var/log/syslog /var/log/kernel

To set the appropriate permissions, enter:

# chmod 600 /var/log/syslog /var/log/kernel

[ ] Make syslog read the new configuration file.

As root, first identify the process id (pid) of the syslog process by entering:

# ps -aux. | grep syslog

Then, cause the system daemon to re-read its configuration file by entering:

# kill -HUP pid

[ ] Enable process accounting.

Process accounting shows who has entered what commands, when, the origin (in terms of particular terminal or IP address), and other very useful information for security purposes. To enable process accounting, enter:

# accton

To read process accounting, enter:

acctcom

[ ] Set up an initial log rotation configuration.

Log rotation is necessary for management of disk space on your system. To rotate every four weeks (which is a reasonable period of time), send errors to root, create new empty logs after the log files are rotated, and to compress log files, enter the following in /etc/logrotate.d/syslog:

weekly
rotate 4
errors root
create
compress

[ ] Read your system’s log files daily (ideally), or if this is not possible, at least two or three times a week.

Enter who to discover who is currently logged in your system and last to learn of logins and logouts. Enter cat /var/log/syslog and /var/log/kernel to obtain syslog data. If you have enabled process accounting, enter acctcom to view process accounting data.

I. Patching Your System

[ ] Leave Software Update enabled, and (optional) configure it to update daily instead of weekly.

A significant number of vulnerabilities in Mac OS X have surfaced. Failure to keep up with security patches is the major reason for unauthorized access to systems and to successful denial-of-service attacks. Software Update is a good solution; it automatically goes to Apple’s Web site and checks for patches. Packages that Software Update downloads and installs are copied to /Library/Receipts. The lsbom command allows you to see a list of all the updates for a system. (For help regarding how to use this command, enter man lsbom.) Be sure to leave Software Update enabled so that your system will be up-to-date with respect to patches. The fact that it updates only once a week may be a problem, however, if your system needs a high level of security. To change to daily updates, go to the Update Software tab and select “Daily” from the pull-down menu.

[ ] Ensure that Security Update 2003-07-14 is installed.

Apple Security Update 2003-07-14 describes a serious vulnerability in the screen saver such that when a Mac wakes from the Screen Effects feature, an attacker could gain access to the desktop of whoever is logged in.

NOTE: Security Update should have already obtained and installed this patch. The best way to actually confirm whether this and all other security updates are installed is to run a tool such as Macanalysis, which is available online.

J. Other Mac OS X Server Security Tips

[ ] Avoid installing the BSD Subsystem (and especially the NetInfo utilities) and Developer Tools unless you genuinely need them.

When you install Mac OS X you have the option of installing the BSD subsystem, including the NetInfo directory service. For the sake of brevity, suffice it to say here that the BSD subsystem, especially the NetInfo utilities, and the Developer tools have a large number of vulnerabilities, including some that allow everyone to obtain a copy of the encrypted passwords in the password file. If you do not need the BSD subsystem, including the NetInfo utilities, or the Developer Tools, don’t install them. If you need them, at a minimum, change the permissions on all NetInfo command-level interface tools to allow only administrator and root to read, write, or execute these executables. Group and others should not have any access whatsoever.

[ ] Disable the display of usernames in the login window.

By default anyone can discover usernames on a Mac OS X system by bringing up the login window. Disabling the display of usernames in this window is thus a good thing to do for security. Go to System Preferences, then select the Login icon, and then select "Display Login Windows as:" to finally select "Name and Password entry fields."

[ ] If you need a high level of security, obtain the osiris file integrity checker and install and run it to detect any unauthorized changes in files.

Attackers often change files, especially system binaries, after they gain unauthorized access to systems. Running a file integrity checker alerts the system administrator about any such unauthorized changes. The osiris file integrity checker compiles on Mac OS X systems and is free.

K. Conclusion

This checklist should by no means be considered a complete list of things to do to tighten Mac OS X security. You could, for example, use the built-in IP firewall to increase the security of your system even more. Instead this checklist specifies a reasonable set of measures that will make it more resistant to attacks than out-of-the-box systems (although Apple has done more than a respectable job as far as most of its default settings go). Macs have generally fared well against Internet attacks in recent years, but with the release of Mac OS X, the situation is already changing. The number of hacking tools that work against Unix and Linux systems is increasing. It is only a matter of time before more of these tools are modified to target and/or run on Mac OS X; many already have been. So taking the time to follow the steps described in the checklist is not really an option—it is a necessity.

L. Online Resources

http://www.apple.com/support/security/ (Apple product security)
http://www.lbl.gov/ITSD/Security/systems/mac.html
http://lists.apple.com/mailman/listinfo/security-announce (Apple’s security mailing list)
http://www.macintouch.com/security.html
http://www.macsecurity.org
http://www.macsecurity.org/mailman/listinfo
http://www.sans.org/infosecFAQ/mac/mac_list.htm

_____________

1. The Mac Extended File system
2. This software actually works on versions 8–10 of the Mac OS.
3. Other ways to change the password, such as changing the password hash in NetInfo, exist, but they are less secure. For example, it is possible to use NetInfo to change the root password to an empty string.
4. By default all users of the administrators group may use sudo to run any program as root.
5. Do not actually type the angle brackets—so, for example, if you wanted /usr/sbin/netapp to no longer be world-writeable, enter chmod o-r /usr/sbin/netapp
6. If you run the BSD Subsystem, including NetInfo, numerous services will be added, but by default they will be disabled.
7. You should avoid using telnet; telnet logins are in cleartext, exposing your password over the network.