Securing Mac OS X Tiger 130
Stephen de Vries writes "Mac OS X is one of the most secure default installations of any OS. But it is still possible to lock the OS down further, in order to meet corporate security guidelines or to securely use network services. Corsaire has released a guide to Securing Mac OS X Tiger (long pdf) which addresses the new security features introduced through Tiger and presents some security good practice guidelines."
CIA still using OS X? (Score:3, Interesting)
Re:"long pdf"? (Score:2, Interesting)
There have warnings accompanying long related articles for time eternal - some people come here primarily for discussion (sort of like an online book club). The article is a "necessary nuisance" for this bunch, hence the disclaimer. For those who actually come for information it isn't so much of a concern.
Now since I'm here for discussion, what's the deal with
Re:Does default matter? (Score:5, Interesting)
I've seen very secure corporate environments using OS X where everything works splendidly (including roaming profiles actually carrying _all_ of your settings with you). Also, the security manages not to get in the way of day-to-day activity.
Re:Wait for it... (Score:4, Interesting)
Anyone know if filevault's key is encrypted against anything apart from the user's key and the optional recovery key?
Windows password hash storage (Score:2, Interesting)
By default, OS X stores your password as a nice secure hash. However, it also stores it using Windows' shitty hash method, that takes approximatly 0.000000001 seconds to brute force with John the Ripper [google.com].
So it's advisable to somehow disable this functionalty.
Re:You should also run Apple's bundled secure scri (Score:3, Interesting)
Re:"long pdf"? Not missed much... (Score:3, Interesting)
Yeah, 41 pages long. If you ever read "basic secure your Linux box", well, that's it. I'm dissapointed that a real Mac problem was not addressed. It allows you world writable Applications directory, and
It contains:
Setting password, Displaying warning, locking your firmware (well, this one is the only deviation from "Lock your box for real world dummies"), enabling ACLs, changing user home directories from 022 to 027, tcp_wrappers, xinetd, and other services, file vault, encrypted disk images...
Basicaly the only positive thing I got from reading it, was how insecure default OSX (talking about DEFAULT here, not what is possible. Mac line was always "Just works") really is. It is more or less as secure as Windows 98 with few bugs taken out and few new entred.
Re:You should also run Apple's bundled secure scri (Score:3, Interesting)
Windows has the same feature, so what?
On Linux you can install libtrash or any other kind of protection, which is much nicer than any filesystem default, so what?
On VAX all the versions were collected, so what??
It is downtime and service needed that counts not someone with EnCase. Problem is that you can do rm / by default and not what it does and not wheter Mac is holy or not.
Metadata in the PDF (Score:4, Interesting)
Three thumbs up (Score:4, Interesting)
I had already applied some of the security recommendations, such as enabling security on Open Firmware, but I've just learned there are a plethora of other security options available on Mac OS X 'out of the box'.
There are options in Tigers security preferences that allow swap space to be encrypted and to avoid passwords being accessible in the clear when stored in memory and swapped to disk. Kernel core dumps can be be disabled for similar reasons.
Password policies! I had no idea Tiger could do that.
After going through this article and learning a bit more about how KeyChain works, I've started creating my own keychains to store 'Secure Notes' and I've finally accepted that Safari does do 'auto-logon' securely in the way it uses KeyChain.
This is a very good article.
Re:Three thumbs up (Score:2, Interesting)
It can starting with 10.3. I have an older article about it on my site here [afp548.com]. The article is from 10.3, but really just more of it works now on 10.4. Also look at the site for my login times script that uses pwpolicy to imitate the login hours policy that other OSes offer admins.
Last year at MacWorld SF, I put together a pwpolicy GUI in AppleScript Studio for a live demo. I also did a minor bit of pwpolicy scripting at WWDC this year. If you have an ADC membership you can watch that preso. It was fun when the demo Mac started to fall apart while I was trying to code...
Open Ports (Score:3, Interesting)
An OS without *any* open ports can still be vulnerable, by merely having a TCP/IP stack connected to a public network. Even if the stack merely can only respond to ICMP packets (no tcp or udp ports open, nor any other IP protocols enabled), it can still theoretically be vulnerable to DoS attacks via ICMP.
TFA makes no mention whatsoever of disabling ICMP.