os x security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
OS X Security PowerPoint Presentation
Download Presentation
OS X Security

Loading in 2 Seconds...

play fullscreen
1 / 13

OS X Security - PowerPoint PPT Presentation


  • 50 Views
  • Uploaded on

OS X Security. IT Security Analyst – Robert Vinson robert-vinson@uiowa.edu security@uiowa.edu. Reality Check. OS X had a similar number of vulnerabilities patched as Windows last year. Rootkits and worms have been developed for OS X. OS X machines can be and have been compromised.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'OS X Security' - sovann


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
os x security

OS X Security

IT Security Analyst – Robert Vinson

robert-vinson@uiowa.edu

security@uiowa.edu

reality check
Reality Check
  • OS X had a similar number of vulnerabilities patched as Windows last year.
  • Rootkits and worms have been developed for OS X.
  • OS X machines can be and have been compromised.
  • Move to x86 architecture makes OS X a more attractive target to exploit developers.
  • The Point: Use Anti-Virus, keep up to date on patches, etc.
physical boot security
Physical/Boot Security
  • Location – adequate visual surveillance
  • Service Provided – Affects which mitigation steps are realistic
  • Desktops
    • Open Firmware password
    • Case lock
    • Disable automatic root login in Single-User mode
  • Servers
    • Open Firmware password would hinder remote reboot
software updates
Software Updates
  • System Preferences -> Software Update
    • Servers should generally have this disabled.
    • Workstations should have daily update checks.
disable unneeded services
Disable Unneeded Services
  • Enumerate open ports
    • Netstat
    • Port scanner
    • Server Admin application
  • Disable unneeded services
    • Server Admin
    • /etc/hostconfig
slide6
SSH
  • Edit configuration file - /etc/sshd_config
  • Disallow root logins
  • Add usernames which should be able to connect via the AllowedUsers Directive.
  • Utilize firewall to restrict access to the daemon (e.g. perhaps restrict to University and Mediacom IP space only)
  • Add the service to xinetd and utilize xinetd throttling capabilites.
permissions
Permissions
  • OS X Permissions are weak.
    • Many world writable/readable directories and even executables!
  • Set more restrictive umask
    • Can be done via shell initialization files and/or globally
  • Audit permissions system wide
    • Good place to start: SUID files, world writable/files/directories
file serving
File Serving
  • AFP - allows for encrypted File transfer.
  • NFS - netboot mounts should be exported as read-only and squash root by default.
  • SMB – sharing in Windows environments.
firewall
Firewall
  • OS X uses the IPFW firewall.
  • Server Admin can be used to configure the firewall.
  • Greater control can be had by editing the /etc/ipfilter/ipfw.conf file.
  • IPFW utility can be scripted to open up ports at needed times, etc.
  • Utilize the firewall to scope down accessibility to services.
logging
Logging
  • Syslog – configuration in /etc/syslog.conf
  • /var/log
  • Remote logging, as always, is a very good idea.
    • Syslog server can be restricted to only accept alerts from certain IP(s) or subnet(s).
    • Generally a good idea to have a separate partition for /var or even /var/log on a syslog server
user authentication
User Authentication
  • Utilize Open Directory to set a password policy
    • Some Recommended settings
      • 8 char long passwords
      • Require alphanumeric
      • Enable expiring passwords
      • Enable account locking for failed attempts
  • Use pwpolicy to set policy
slide12
Misc.
  • File Vault
  • Disk Utility for fixing permissions
references resources
References/Resources
  • OS X Benchmark security document - http://www.cisecurity.org
  • NSA’s OS X Server Security Configuration guide - http://www.nsa.gov/snac
  • Apple – www.apple.com