Hardening Mac OS X
From MacShadows KB
This article describes several quick steps for hardening Mac OS X computers after the system has been installed. It should not be considered a thorough and complete guide for hardening as it only refers to system specific options.
Service hardening will be treated superficially and it is considered out of scope as not all of us will always run the same services.
General Security Settings
Under System Settings -> Security you'll find the first approach to secure your box. Just make sure the following options are checked:
- Require password to wake this computer from sleep or screen saver
- Disable automatic login
- Use secure virtual memory
We'll review the FileVault settings later. Along with the required password to wake up the computer from sleep and screen saver we should configure the screensaver to an appropriate time (10 - 20 minutes of inactivity should be enough).
It's also a good idea to configure one of the Hot Corners to activate your screensaver in case you need to go out in a rush but you can't put your computer to sleep.
The most common attack-vector against a normal user's MacOS X box is the web-browser Safari, that is based on web-kit. Safari runs 24/7, has got userland-access to nearly every file and directly opens many different formats. For example it accesses Quicktime and Preview.app. Applications, that have vulnerabilities, that can get exploited when Safari passes files to them. Safari doesn't provide any script-controls like Firefox's NoScript or anything comparable.
Furthermore you can sandbox the whole browser to deny access to any folder, but to the Downloads: http://www.crazylazy.info/blog/content/safari-sandbox-02 The current development file is here: http://github.com/wishi/snippy/tree/master/Configs/safari-sandbox/
edit: I'll try to find the link syntax... mom
Patches and Updates
Always keep your applications patched and if possible up to the latest version. This may be done with the Apple Update GUI which comes integrated in Mac OS X and which may be found under the System Menu (that blue apple in the upper left corner of your screen) -> Software Update. The updater may also be run from the console with the following command:
sudo /usr/sbin/softwareupdate -i -r 2>&1
If you have installed third party applications, be sure you visit their pages periodically to be informed of the latest patches and updates, specially those concerning the security of your system.
This is the key to your safe, would let your bank PIN number around in a post-it?
One of the most important items in system security are secure passwords. Fortunately, the OS provides us with a password assistant when we are changing our password (Under System Preferences -> Accounts). I recommend to use the password assistant with the type as random and with a minimal length of 8 characters.
If you are a system admin and there will be more than one user on your machine, it's strongly recommended that you enforce minimum requirements for setting new passwords. This can be done by using the pwpolicy under the Terminal.app.
At least the following items should be considered when setting up a policy:
- Password length (min. 8 characters)
- Password expiration (depending on your needs)
- Users must not be able to reuse the last 10 passwords
- Passwords should be mixed case, contain letters and numbers and at least one special character
- Failed authentication limit should be set to maximum 5 attempts
To partially fulfill all of these conditions you may use the following command:
sudo pwpolicy -a adminusername -setglobalpolicy "usingHistory=10 minChars=8 requiresNumeric=1 requiresAlpha=1 maxFailedLoginAttempts=5"
The way the user is presented the way of logging in may add additional security to your computer. Specially if the attacker has physical access to your machine.
Banners and disclaimers don't make your computer more secure, however they can be very helpful to convince the attacker not to access your machine without permission, and they may also be vary useful in legal terms. This banner or disclaimer should be displayed every time a user tries to access your machine, wether it is locally or remotely.
To set the banner at login time you must insert a key into the com.apple.loginwindow.plist file this way:
sudo open /Library/Preferences/com.apple.loginwindow.plist
This should open the plist file editor where you must add the LoginwindowText key. It should be a string and in the value you should type whatever your banner or disclaimer is. After saving your changes you must reboot your computer in order for the banner to start appearing.
Mac OS X also has the nasty habit of displaying a full list of usernames on the login window. This simply provides too much information to attackers and should be disabled. You can disable this setting in System Preferences -> Accounts -> Login Options -> Display login window as: Name and password.
This setting also provides too much information for attackers so it should be disabled. To disable password hints open a console and type:
sudo open /Library/Preferences/com.apple.loginwindow.plist
Change the value RetriesUntilHint to 0.
This nice Apple feature allows users and applications to store passwords securely. Several keychains may be created and each one you may store important information (for example if you want to keep your bank details secure you may create a new keychain and store secure notes in it with your confidential data).
Metadata stay clear-text
You should be aware that only the passwords will be encrypted for your keychains:
AirPort network password oldschool oldschool $E4E84184-9B21-49D3-9879-FED25E086A76
SSIDs, notes, annotations, usernames - can resign in clear-text within the file.
Improving security with the Keychain.app
There's a very important keychain which is the login keychain. This one is automatically "opened" with the same login password the user has. Its security may be further improved by changing its password and making it something completely different than the login password. This prevents an attacker to gain access to priviledged information (your login credentials for your mail for example) if he has compromised the login password.
To change the password you must open the Keychain Access (Applications -> Utilities) and choose Edit -> Change password for Keychain "login".
Keychain also lets you edit the preferences on a per key basis. This setting is recommended for the truly paranoid as it permits to assign a password per key.
If you perform a right-click within the Keychain.app's prefs, you can set a timeout period after which the keychain automatically closes. This is an essential hardending tip, because Safari, like many other applications, often has vulnerabilities, that get exploited via malicious web-sites. Those attacks could gain access to the keychain via the built-in API functions.
On Mac OS X, all users are granted read access to newly created files by default. This may present serious privacy issues if the computer is being used by more than one user. This hazard may be preventing by allowing newly created files to be read only by those users in the same group as the one who is creating the file. This is done by fixing the default umask for new files:
sudo defaults write /Library/Preferences/.GlobalPreferences/NSUmask 23
All the accounts created before changing this default settings will already include files that may be read by everyone in the system so this issue also needs to be fixed. The following should be done for every user in the system:
sudo chmod -R 740 /Users/username
Mac OS X provides its users the ability to encrypt information using the AES algorythm with 128 bit keys.
The FileVault utility, which is configured under System Preferences -> Security, encrypts and decrypts the entire user folder. This means it is enabled on a per user basis which may be very useful if you have confidential data but you don't want your entire home directory being encrypted and decrypted every time you logoff or logon. If you possess this kind of information, simply add a user which will only contain this information in his user folder and configure it to use FileVault.
The contents are decrypted using the login password of the user, however you can also set a master password which will allow to decrypt the information of any user in the system regardless if you know his login password or not.
This Disk Utility, which may be found in Applications -> Utilities -> Disk Utility, may be used to encrypt data when a new image is created. This is very useful for backing up sensitive information, however it will require a password every time the volume is mounted. Mac OS X even has the ability to manage these decryption passwords for images in its Keychain application.
The root user is disabled by default on Mac OS X and it should remain so unless the need of activating it exceeds the risk taken.
The administrator(s) of the system should have two accounts, one dedicated only for the purpose of administration and the other one for the day to day work. Needless to say, their passwords should be different. This is done for the sole purpose of accountability, and provides an additional layer of security by denying the administrative accounts remote access.
If the root user remains disabled, then su won't work. Instead you would use sudo. By default, Tiger lets all the administrative users to run sudo, but you should be very careful and only allow the necessary users to use this command. In order to disable it and enable it on a per user basis you should do the following:
And insert a # in front of the following line:
%admin ALL=(ALL) ALL
And for example, to allow user redknight the ability to use sudo you would add the following line:
redknight ALL=(ALL) ALL
Warning: before saving the file make sure there is at least one existing user enabled to use sudo.
By default all services are disabled. If you are going to enable one, just make sure you use the secure version /one that uses encryption) of each protocol. For example:
- Use SSH instead of Telnet
- Use sFTP (installed within SSH) instead of FTP
- Use HTTPS instead of HTTP, specially if you have authenticating applications running
This chapter referes globally to all services, but each of the daemons enabled should be configured individually. I recommend that you enable and harden the daemon one by one. When you are finished installing and hardening the first, then move to the second, then to the third, and so on. Treating all the services is out of the scope.
Make sure you have a login disclaimer or banner for each of the services that are active. As mentioned before, this may prevent legal issues and diminish the attacker's will to enter your system. Each server will be configured in a different way to present the banner. For example in SSH you must edit /etc/sshd_config and add the following line:
Error Messages & Configuration
Change the default error messages and server version presented by the daemons (for example the default Apache's 404 error which includes the server version). This prevents the attacker to gather important information about your system and the version of software you are using. Even though obscurity is not security, this is a very important step in hardening your system. Chaging the default error messages and banners may be done in the server configuration files or even on compilation time in the source code. it all depends on which service you are installing.
Some services will also requiring more fine grain hardening. For example SSH by default supports two procolos (1 and 2). It is recommended you only use protocol 2 and this may be configured by editing /etc/sshd_config. Just change:
User access controls should also be enforced and how it is configured depends on the service. This means you should also give access to the server to people who really need it. For example, SSH by default gives remote access to all users, however this may be changed in the /etc/sshd_config file by adding the following line:
AllowUsers redknight user2
Updates and Patches
There's no way I can reinforce more this idea: patch, patch and patch. Make it your daily or weekly job to look into the services' developer sites for new updates and/or security patches.
Mac OS X has the nasty habit of creating memory core dumps when applications crash. If sensitive information resides in memory at the time of the dump, this will all be printed to a file defeating our purpose of a secure system.
In order to prevent this from happening the file /etc/sysctl.conf should be created as a superuser and it should contain:
Interesting Ideas for the Trully Paranoid
This are some ideas I would love to see implemented and working on Mac OS X and who would certainly add an extra dip of security to the system.
- USB Startup Key - this consists on a specific USB key coded in such way that the computer always checks at startup, specifically at POST, for this key and does not continue with the normal process unless it is present. This is specially useful for preventing unauthorized users to access your machine.
- Face Recognition - the computer continually checks through a camera (iSight hopefully) the identity of the person using it, and if it matches an authorized user, then it lets him work properly, otherwise it simply blocks the machine. Even if other users have physical access to the machine, this prevents unauthorized users to access your information.
- Shutdown Sequence - if the computer is not shutdown or restarted in a specific sequence (for example in a portable: first disconnect the power cord, open a console and finally issue manually the shutdown command) the whole hard drive would be completely encrypted or wiped out. This is useful to prevent theft of information and even to protecto your hard drive for further forensic analysis.