The natural choice for information security solutions




A Corsaire White Paper:
Securing Mac OS X











Author Stephen de Vries
Document Reference Securing Mac OS X V1.0.doc
Document Revision V1.0 Released
Date 22 June 2004

© Copyright 2000 - 2004, Corsaire Limited, All Rights Reserved.

---

A Corsaire White Paper:
Securing Mac OS X
Table of Contents
TABLE OF CONTENTS............................................................................................................ 2
1.
INTRODUCTION ............................................................................................................... 3
2.
USING THIS GUIDE.......................................................................................................... 3
3.
SUMMARY OF SECURITY HARDENING ........................................................................ 3
4.
SECURITY HARDENING GUIDELINES........................................................................... 4
4.1
Patching & Maintenance ............................................................................................. 4
4.2
Physical Access Controls........................................................................................... 4
4.3
Keychain ....................................................................................................................... 8
4.4
Data Encryption ........................................................................................................... 9
4.5
Antivirus solutions ...................................................................................................... 9
4.6
Controlling Administrative Access.......................................................................... 10
4.7
Firewall ....................................................................................................................... 10
4.8
Network Services....................................................................................................... 12
4.9
File Sharing ................................................................................................................ 18
4.10
Intrusion Detection Systems (IDS)........................................................................... 19
REFERENCES ........................................................................................................................ 20
ACKNOWLEDGEMENT ......................................................................................................... 21
About The Author .................................................................................................................. 21
About Corsaire....................................................................................................................... 21


Page 2 of 22
Securing Mac OS X
Copyright © 2000-2004 Corsaire Limited.
All Rights Reserved.

The natural choice for information security solutions

---

A Corsaire White Paper:
Securing Mac OS X
1. Introduction
Mac OS X (10.3) provides many built in security features that, when fully utilised, can greatly reduce
the risk of a security incident. OS X is one of the most secure default installations when compared to
other operating systems. The install follows the accepted best practice of disabling all network
services unless explicitly enabled. The default security settings should suit the needs of most users
in a workstation setting.
This guide is aimed at users in environments requiring stronger security controls in an operating
system, making full use of the protection features offered in OS X. It would also be of use to system
administrators wishing to enforce an organisation wide desktop security policy for Mac OS X.
2. Using this Guide
This guide covers Mac OS X 10.3 (Panther) as a multi-user networked system. Most of the console
and network based security features are common between OS X and OS X Server, however this
guide does not cover Server’s additional user, directory and network based security features.
The reader should be familiar with using the UNIX command line and editing plain text configuration
files. Most of the operations will require administrator access and it is recommended that each file be
backed up before editing it.
While every effort has been made to test the settings specified in this guide, no guarantee can be
made as to their effectiveness or suitability for individual systems.
Any changes to your system are made at your own risk.
3. Summary of Security Hardening
This hardening guide includes the following areas:
1. Patching & Maintenance – Strategies to perform regular checks for security updates and
patches to mitigate risks in the operating system and software in a timely manner.
2. Physical Access Controls – Steps to make the OS X host resilient to an attacker with physical
console access.
3. Keychain – Securing the central authentication repository, or keychain, to reduce the risk of
unauthorised access.
4. Data Encryption – Use of user and disk-based encryption to prevent unauthorised access to
sensitive data, and to provide organisational escrow to that data.
5. Antivirus Solutions – Solutions to mitigate the risk of viruses or other malware affecting OS X
hosts.
6. Controlling Administrative Access – An explanation of administrative privilege under OS X
and how best to secure access.
7. Firewall – Details of the provided firewall and how to use its full functionality.
8. Network Services – Information about the available services and how to deploy them
securely.
9. File Sharing – How to share files securely.
10. Intrusion Detection System (IDS) – Available host based, and network based IDS solutions.


Page 3 of 22
Securing Mac OS X
Copyright © 2000-2004 Corsaire Limited.
All Rights Reserved.

The natural choice for information security solutions

---

A Corsaire White Paper:
Securing Mac OS X
4. Security Hardening Guidelines
4.1
Patching & Maintenance
4.1.1 GUI
Mac OS X uses the Software Update tool to download and install system and application patches. It
is recommended that it be configured to check for new updates daily and can also be configured to
perform downloads in the background and notify the user when the update is ready for installation.

4.1.2 Command
Line
Software updates can also be listed and applied through the command line tool:
/usr/sbin/softwareupdate. This makes it possible to install updates in shell scripts, or to invoke it
remotely through SSH. For example the following command should be executed to automatically
install all required updates and log the output to a file:
sudo /usr/sbin/softwareupdate –i –r 2>&1 >> /Library/Logs/auto-
softwareupdate.log
Caution should be used when adding software update to the crontab, as some required updates need
the system to be manually rebooted before taking effect.
4.2
Physical Access Controls
In environments where attackers could gain physical access to the system, it is important that
additional security mechanisms are in place to protect the system from unauthorised access. Should
an attacker gain physical access to a system, they could boot an alternate operating system and read
data stored on the hard drive, or enable a firmware password that will render the system inoperable.
The best solution is to control physical access to systems by putting them under lock and key but
sometimes this isn’t possible, especially for mobile users or desktop users in shared environments.
4.2.1
Open Firmware security
Open Firmware is the BIOS used by most Apple systems, and is used to provide low level control to
some parts of the hardware. Open Firmware uses a command line driven interface more similar to
that used by Sun Microsystems than the graphical BIOS used by x86 PCs. For the purposes of
securing the system, two operations need to be performed in Open Firmware: Setting a password,

Page 4 of 22
Securing Mac OS X
Copyright © 2000-2004 Corsaire Limited.
All Rights Reserved.

The natural choice for information security solutions

---

A Corsaire White Paper:
Securing Mac OS X
and changing the security level. These features are only available in Open Firmware version 4.1.7 or
later (see: http://docs.info.apple.com/article.html?artnum=106482 ).
4.2.1.1 Caveats
Open Firmware security can be subverted in a number of ways and therefore does not provide
complete protection from an attacker with physical access. It does, however, provide more protection
than the default settings and will make it more difficult for an attacker to gain access to data. For
more information on Open Firmware weaknesses see:
• http://www.msec.net/advisories/of_pwd_bypass.html
• http://www.msec.net/software/index.html#fwsucker
4.2.1.2
Accessing Open Firmware (OF)
The changes to the firmware described below are made directly from the Open Firmware command
line. Apple has released a graphical tool1 that sets the firmware password, but it does not allow
granular control of the security mode. To access the OF command line, the system should be
rebooted and Command-Option-O-F held down while the system boots. A screen that similar to the
following should be presented:

Apple PowerMac,4 4.4.9f1 BootRom build on 11/13/02 at 13:41:09
Copyright 1994-2002 Apple Computer, Inc.
All Rights Reserved

Welcome to Open Firmware, the system time and date is: 02:36:52 01/15/2003
Full security mode.

To continue booting, type "mac-boot" and press return.
To shut down, type "shut-down" and press return.

ok
0>
4.2.1.3
Setting a firmware password
From the Open Firmware command line, type:
password
When prompted, enter and re-enter the chosen password. The password should comply with the
organisations security policy.

0> password
Enter a new password: ********
Enter password again: ********
Password will be in place on the next boot! Ok
0>
Once the password is set, it is necessary to set the security mode to one of the three values: none,
command or full, which are described in more detail below:
• None – This is the default setting and provides no Open Firmware security protection. Even
if a password is set, it has no effect if the security mode is none. It is also possible to set
another firmware password without first entering the old one.

1 This can be obtained from http://docs.info.apple.com/article.html?artnum=120095.

Page 5 of 22
Securing Mac OS X
Copyright © 2000-2004 Corsaire Limited.
All Rights Reserved.

The natural choice for information security solutions

---

A Corsaire White Paper:
Securing Mac OS X
• Command – This setting causes the system to prompt for a password when any changes to
Open Firmware are attempted. It will also require a password when booting from any device
besides the default boot device.
• Full – This mode requires that a password be entered before booting and before any
changes are made to Open Firmware. A password will be required before every reboot.
Once the appropriate security mode has been selected, it can be set by typing:
setenv security-mode full
To save the changes and reboot, type:
reset-all
4.2.2 Login
4.2.2.1 Banner
A login banner informs users accessing a system about the system’s function, ownership and
consequences of unauthorised access. This information should be displayed at all points of entry to
the system, usually, login prompts on the desktop, shell logins and ftp access prompts. An
appropriate login banner should be defined, after consultation with the organisations legal team if
appropriate. An example login banner could be similar to:
THIS IS A PRIVATE COMPUTER SYSTEM AND IS FOR AUTHORISED USE ONLY.
Any or all use of this system and all files on this system may be
intercepted and monitored.
Unauthorised or improper use of this system may result in disciplinary
and/or legal action. By continuing to use this system you indicate your
awareness of and consent to these terms and conditions of use.
LOG OFF IMMEDIATELY if you are not an authorised user of this system or do
not agree to the conditions stated in this warning.
The first place that this banner should be displayed is at the desktop login prompt where all local
users will see it. To insert a login banner in the Mac OS X login window, edit the file (as the super-
user): /Library/Preferences/com.apple.loginwindow.plist and insert the bold text below:

…
<plist version="1.0">
<dict>
<key>LoginwindowText</key>
<string>Insert your login banner here</string>
<key>MasterPasswordHint</key>
<string></string>
…
The new login window will be displayed after a reboot.
A number of other services should use the same login banner and it will be useful at this point to
create a text file containing the banner in /etc/login_banner. Since each service that displays the
banner will format it according to its own protocol, the length of each line should be less than 80
characters (which is the default for many terminal applications).

Page 6 of 22
Securing Mac OS X
Copyright © 2000-2004 Corsaire Limited.
All Rights Reserved.

The natural choice for information security solutions

---

A Corsaire White Paper:
Securing Mac OS X
4.2.2.2 Automatic
login
Automatic login should be disabled for all users of the system; ensuring that each user must enter
their username and password before being granted access. This can be enforced as a system wide
setting from the Security pane of System Preferences:

4.2.2.3 Displayed
usernames
By default, OS X displays a list of usernames with accompanying graphic at the console login prompt.
This provides too much information for passing attackers and should be disabled, requiring users to
enter their usernames and passwords.
Disable this setting from: System Preferences -> Login Options -> Display Login Window as: Name
and password.
4.2.2.4 Password
hints
Password hints allow users to set a hint if they have forgotten their passwords. While this is a helpful
feature for some home users who do not login very often, it is typically not appropriate in a corporate
environment, as it increases the risk of an attacker successfully guessing the password.
There is no global setting to ensure that all users have disabled password hints, so each user
account will have to be checked. From System Preferences -> Accounts, select each user and
ensure that the ‘Password hint’ text box in the ‘Password’ pane is left blank.
4.2.3 Screensaver
A screensaver should be activated after a short period of inactivity, and should require a password to
unlock the workstation. This prevents unauthorised passers-by from accessing an unattended
workstation that is logged in. A ten-minute period of inactivity before the screensaver is triggered
should suit most organisations. The screensaver can be enabled from System Preferences ->
Desktop & Screensaver. To enable password protection on the screensaver Require password to

Page 7 of 22
Securing Mac OS X
Copyright © 2000-2004 Corsaire Limited.
All Rights Reserved.

The natural choice for information security solutions

---

A Corsaire White Paper:
Securing Mac OS X
wake this computer from sleep or screensaver should be selected from the Security pane of System
Preferences.
4.3 Keychain
The Keychain allows users and applications to store and access authentication details in one place.
Users can lock or unlock this keychain with a single password; applications can only access
authentication details when the keychain is unlocked. By default, the Keychain password is the same
as the login password and the Keychain is unlocked when a user logs in and is locked again when
the logout.
The security of the Keychain can be further improved by locking the Keychain after a period of
inactivity and requiring a password when the system wakes from sleep. These options are accessed
from the Edit -> Change settings for Keychain menu in the Keychain application (Applications ->
Utilities).

The Keychain application also allows individual access controls to be placed on each key in the
Keychain. Where keys grant access to particularly sensitive information, it is recommended that the
access control be changed to ‘Ask for Keychain password’.

In high security environments, it is recommended that the Keychain password be a different password
than is used for login. This can be changed from ‘Edit -> Change Password for Keychain’

Page 8 of 22
Securing Mac OS X
Copyright © 2000-2004 Corsaire Limited.
All Rights Reserved.

The natural choice for information security solutions

---

A Corsaire White Paper:
Securing Mac OS X
4.4 Data
Encryption
OS X provides built in data encryption features using the AES2 algorithm with 128 bit keys. This
allows users to encrypt data with military strength cryptographic functions.
The first of the encryption features is the FileVault function which encrypts and decrypts a user’s
entire home folder, protecting the data from unauthorised access. Decryption is performed in real-
time as needed and appears seamless to the user.
The user’s login password is used to decrypt the encrypted folder. An additional ‘master password’
may also be set which will be able to decrypt all FileVault protected folders on the system. This
provides the ability to recover a user’s data should they forget their password or leave the
organisation, allowing the holder access to all users’ encrypted data. Organisational access control
policies should dictate whether this is desirable, and who should hold the master password. The
ability to decrypt user data is currently a requirement of the UK’s RIP Act
(http://www.homeoffice.gov.uk/crimpol/crimreduc/regulation/). FileVault can be enabled on a per-user
basis from the Security pane of System Preferences.
The Disk Utility application (Applications -> Utilities -> Disk Utility) can also be used to encrypt data.
When a new image is created, ‘AES-128 (Recommended)’ should be selected as the encryption
setting. A password will be required to decrypt the image when mounted. This is especially useful for
exchanging encrypted data, or for mobile users who wish to store their data on external drives. An
option is provided to store the password for an encrypted volume in the user’s Keychain; this is useful
for most users and should only be ignored by users with the utmost concern for the confidentiality of
their data.

4.5 Antivirus
solutions
Viruses, trojans and other malware are relatively uncommon on the OS X platform, and as a result
currently present a far lower risk than on Windows systems. In some organisations, security policies
may mandate the use of anti-virus systems for all desktop systems, regardless of the relative
absence of OS X viruses.
A number of well-known anti-virus vendors now ship versions of their products for OS X, including:
• McAfee’s Virex -
http://www.networkassociates.com/us/products/mcafee/antivirus/desktop/virex.htm
• Norton’s AntiVirus - http://www.symantec.com/nav/nav_mac/index.html
• Sophos’ Anti-Virus - http://www.sophos.com/products/sav/

2 http://csrc.nist.gov/CryptoToolkit/aes/

Page 9 of 22
Securing Mac OS X
Copyright © 2000-2004 Corsaire Limited.
All Rights Reserved.

The natural choice for information security solutions

---

A Corsaire White Paper:
Securing Mac OS X
• Intego’s VirusBarrier - http://www.intego.com/virusbarrier/home.html
4.6
Controlling Administrative Access
4.6.1
The root user
The default installation of OS X ships with the root user disabled, making it impossible to login or su
to root. This reduces the risk of many common attacks traditionally aimed at UNIX operating
systems. It is possible to enable the root user but this is strongly discouraged. The status of the root
user can be checked from the Security menu in the NetInfo Manager application.
4.6.2 Administrative
user
The access control mechanisms of the system may be further secured by granting administrative
rights to only specific users. For each administrative user, there should be two user accounts, one to
perform normal user operations, and the other to perform administrative functions. For example, if
the user James is a designated administrator he should have a standard system account “james” with
no special privileges and an administrative account “admin_james” with administrator rights. This
provides accountability where there is more than one administrator on a system. The administrative
users should be restricted from logging in to the system from network services using their
administrative accounts. This further reduces the risk of the authentication credentials being
compromised. To restrict remote access, the configuration of each network service will have to be
altered as described in section 4.8.
4.6.3 Sudo
Since the root user is disabled, it is not possible to use the su command to obtain root privileges;
instead, OS X makes use of the sudo program. By default Panther allows all administrative users
access to the sudo command and it allows these users to run any program with sudo. In some
circumstances, this may contravene system usage policies. In these cases, it is possible to disallow
sudo access to the administrator group and instead, enable it on a per user basis.
From the terminal, edit the /etc/sudoers file by typing:
sudo visudo
Insert a hash (#) character, in front of the line
%admin ALL=(ALL) ALL
To allow only the user ‘bob’ access to sudo add the line:
bob
ALL = (ALL) ALL
Make sure that at least one user has permissions to run sudo before saving the file! Access controls
within the sudoers file can be specified minutely, for example, it is possible to grant the user james
access to the file /usr/bin/kill, but only with the privileges of user tim. See the sudoers man page for
more details on tightening access controls through sudo.
4.7 Firewall
OS X is derived from BSD, and as such features the IPFW firewall. By default, the firewall is disabled
(as are most network services); it can be activated and configured from the Firewall tab in the Sharing
pane of System Preferences. The simplistic GUI does not provide access to the full capabilities of the
ipfw firewall, however. To enable a more granular control of network traffic it is first necessary to stop
the firewall through the GUI and then create a new startup item which defines the firewall’s behaviour.
Create the directory /Library/StartupItems/Firewall

Page 10 of 22
Securing Mac OS X
Copyright © 2000-2004 Corsaire Limited.
All Rights Reserved.

The natural choice for information security solutions

---

Document Outline

• ÿ
• ÿ
  • • ÿ
  • ÿ
    • • ÿ
      • ÿ
    • • ÿ
      • ÿ
    • ÿ
  • ÿ
  • ÿ
    • ÿ
  • ÿ
  • • ÿ
    • • ÿ
      • ÿ
    • • ÿ
      • ÿ
    • • ÿ
      • ÿ
  • ÿ
    • ÿ
• ÿ
  • ÿ

---