1 / 13

OS X Security

OS X Security. IT Security Analyst – Robert Vinson robert-vinson@uiowa.edu security@uiowa.edu. Reality Check. OS X had a similar number of vulnerabilities patched as Windows last year. Rootkits and worms have been developed for OS X. OS X machines can be and have been compromised.

aldon
Download Presentation

OS X Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OS X Security IT Security Analyst – Robert Vinson robert-vinson@uiowa.edu security@uiowa.edu

  2. Reality Check • OS X had a similar number of vulnerabilities patched as Windows last year. • Rootkits and worms have been developed for OS X. • OS X machines can be and have been compromised. • Move to x86 architecture makes OS X a more attractive target to exploit developers. • The Point: Use Anti-Virus, keep up to date on patches, etc.

  3. Physical/Boot Security • Location – adequate visual surveillance • Service Provided – Affects which mitigation steps are realistic • Desktops • Open Firmware password • Case lock • Disable automatic root login in Single-User mode • Servers • Open Firmware password would hinder remote reboot

  4. Software Updates • System Preferences -> Software Update • Servers should generally have this disabled. • Workstations should have daily update checks.

  5. Disable Unneeded Services • Enumerate open ports • Netstat • Port scanner • Server Admin application • Disable unneeded services • Server Admin • /etc/hostconfig

  6. SSH • Edit configuration file - /etc/sshd_config • Disallow root logins • Add usernames which should be able to connect via the AllowedUsers Directive. • Utilize firewall to restrict access to the daemon (e.g. perhaps restrict to University and Mediacom IP space only) • Add the service to xinetd and utilize xinetd throttling capabilites.

  7. Permissions • OS X Permissions are weak. • Many world writable/readable directories and even executables! • Set more restrictive umask • Can be done via shell initialization files and/or globally • Audit permissions system wide • Good place to start: SUID files, world writable/files/directories

  8. File Serving • AFP - allows for encrypted File transfer. • NFS - netboot mounts should be exported as read-only and squash root by default. • SMB – sharing in Windows environments.

  9. Firewall • OS X uses the IPFW firewall. • Server Admin can be used to configure the firewall. • Greater control can be had by editing the /etc/ipfilter/ipfw.conf file. • IPFW utility can be scripted to open up ports at needed times, etc. • Utilize the firewall to scope down accessibility to services.

  10. Logging • Syslog – configuration in /etc/syslog.conf • /var/log • Remote logging, as always, is a very good idea. • Syslog server can be restricted to only accept alerts from certain IP(s) or subnet(s). • Generally a good idea to have a separate partition for /var or even /var/log on a syslog server

  11. User Authentication • Utilize Open Directory to set a password policy • Some Recommended settings • 8 char long passwords • Require alphanumeric • Enable expiring passwords • Enable account locking for failed attempts • Use pwpolicy to set policy

  12. Misc. • File Vault • Disk Utility for fixing permissions

  13. References/Resources • OS X Benchmark security document - http://www.cisecurity.org • NSA’s OS X Server Security Configuration guide - http://www.nsa.gov/snac • Apple – www.apple.com

More Related