TweetFollow Us on Twitter

Mac OS X Security Volume Number: 17 (2001)
Issue Number: 4
Column Tag: Mac Security

Mac OS X Security

By Jesse Corbeil, Montréal Québec

Securing a Mac OS X workstation for stand-alone or home use out of the box

Note: Mac OS X is currently in Public Beta. The final version may invalidate any or all of this paper. That's just a chance we take when we write how-tos about beta operating systems

In the world of operating systems, the Macintosh platform has traditionally been everybody else's secure neighbour. Not many virii or cracks affected the Mac (unless we counted cross-platform Word macros), and we were generally spared the heaps of abuse that were laid onto our Windows-using brethren. Whether this has been due to the brotherly Mac community or the simple fact that there aren't enough Mac OS computers out there to make it worthwhile is up for debate. The truth will become clear when we all trash our old Macs and buy brand-new Cubes to run Apple's swank new OS. Why is that? Because Mac OS X is nothing more than a shiny interface on top of a tweaked BSD core, and BSD is very much slugging it out at the centre of the cracks and exploits blattleground. With that in mind, this article will discuss how to secure the default installation for a workstation or for home use.

BSD

Unix-cowboys have it all over us Mac users. They trade in the ease-of-use and smooth operation to which we are accustomed on the Mac side for raw, unlimited power over their machines. The easy Mac or Windows click-to-install approach is shunned in favour of the ability to tweak the code of an app that didn't install properly; cutting, thwacking, and generally forcing the code until the app clicks smoothly into place. Further, whereas we tend to troubleshoot by twiddling the knobs and banging the pipes, Unix-gurus crawl under the sink to pull the works apart. They know their machines better than we know our mothers.

Now, all that is about to change- at least for those of us who actually want to dig about under the hood and still enjoy the Mac OS experience.

With the change to Mac OS X, Apple reduces the number of major-player non-Unix OSes by one, while simaultaneously giving the Unix world something it has been trying to develop with imperfect solutions like KDE and Gnome: a distro with a polished and usable GUI.

What the BSD core (fetchingly called 'Darwin') gives back to the Mac is a rock-solid OS with all the buzz-technologies incorporated: multi-this, protected-that, and the new-to-Mac concept of an application crashing without taking down the OS. Unfortunately, what else we get is a security headache. Suddenly, all those Unix-savvy hacks and virii are mac-savvy too. Added to that (and I feel safe in going out on this particular limb), the country-bumpkin image that the Mac OS has enjoyed in hacker circles is about to be replaced by a perception of the OS as the sexy new Unix. Eager crackers will want to try out all the exploits and probe the nooks and crannies.

The Swiss-Cheese OS

Once they've been properly set up, the BSDs are generally pretty secure. They are developed by security-conscious communities and tend to be deployed in sensitive areas like networking and databasing. The Calgary-based OpenBSD is regarded as the most secure BSD distribution, incorporating many crypto and security features that would be non-exportable had it been an American distro subject to US export laws. Obviously, Apple could not have based Mac OS X in Open BSD and still sold the OS outside the US, but the more freely-exportable BSDs are still very secure, and the choice to base Mac OS X on the platform is still a solid one.

OpenBSD aside, any distro must be properly hardened to close up some of the dozens of holes left open by a default installation. This is where Darwin shows its BSD roots, and where a certain familiarity with Unix system hardening comes in. On a typical BSD system, one of the things an admin would do to secure the system is to edit the inetd.conf file to disable unneeded services. Mac OS X comes with the inetd.conf file already set up in a pretty secure configuration, but that doesn't mean that the OS is completely tight. There are other security holes in the default setup (such as services not covered by inetd.conf) that must be addressed before deploying the OS in a secured environment. When configuring services, the general rule of thumb is If you're not using it, turn it off.

There are some cool gewgaws in Mac OS X, though their default configurations can be pretty insecure. Running dmesg, for instance, reveals that there is an IP packet filter initialised but that it's wide open; The NFS daemon is active by default, which opens up a security hole, as does the Portmap daemon. There's an NTP daemon enabled, which opens a very slight security risk: though one wouldn't generally try to compromise the system through NTP, it is theoretically possible to muck about with it to make time-sensitive apps do one's bidding. But by far the coolest feature of the OS in terms of un-fubar-ability is the separation of admin accounts from the central, all-powerful root user. As part of the OS installation, I was asked to create an administrator account for myself. I set the system up as "jcorbeil," which is the account I generally use. From there I can administer just about anything on the machine - so long as the function is GUI accessible. However, if I try to enter rm -rf * in a Terminal window, the system will tell me to stuff myself. Why is this? It's due to Apple's approach to Mac OSX's design. Apple has made it as difficult as possible to hose your system by limiting GUI access to most of the really dangerous functions. That's a smart move on Apple's part, as it effectively stops non-gurus from inadvertently committing atrocities.

Another safety feature was revealed when I checked out the NetInfo application, which is where all system and user information is centralised. I discovered (and verified via a quick etc/passwd check) that even though my account is an administrator account, the system still pledges its allegiance to a separate root account that was automatically generated during installation. In other words, "jcorbeil" may be the system admin, but he doesn't have the same set of priviledges as the bonafide root user. To do something that only the root can (like erase the works), I have to su to root in Terminal, then do my damage. It's not hard, as the root account shares jcorbeil's password by default, but there's a certain level of know-how involved in getting to the 'destroy-the-OS' point that is beyond the ken of most new users coming from a classic Mac OS background.

Openings and Closings

To get a bit of an aperçu of what ports are open on your system, open a Terminal window and enter netstat -an (Figure 1). This will display your machine's ports and whether they are listening, established, or closed. If you want to see the ports' names, use the netstat -a command. It's a safe bet that you'll find ports you don't recognise. That's normal, but for for those who want to know all about ports, http://www.doshelp.com/trojanports.htm has some resources for the inquisutive firewall admin.


Figure 1. What comes up when you type netstat -an

Chances are, you'll find two local addresses near the bottom of the list, called *.111 and *.514. These are our first two security issues. *.111 is portmap, which is a daemon for making RPC calls. It is also lousy for security, and is best turned off. *.514 is the syslog daemon, which listens on UDP and receives log broadcasts from other servers. Sounds pretty innocuous, right? Well, UDP is not a two-way protocol, so there's no way for syslog to verify whether or not the sender of a given datum is who he says he is, which opens up the potential for a denial of service attack. Nasty stuff. Tighten *.514 up by using IPF to stop connections other than 127.0.0.1 (more on this later).

After that, run a search for any files that are either world-writeable or owned by the "nobody" user or group. Every one of these opens up a little security hole, and should therefore be viewed with great circumspection. You might need a couple of them, you might not. Look about and clean up what you can by tightening up the access control to world-writeable files or files with 'nobody' ownership.

IPFilter: Built-in Security

IPFilter is a firewall that gets installed with the kernel, and is where some of the power of a BSD-based OS comes to the fore. IPFilter alone warrants a book or two, but there are some basics that everyone can use as a springboard to using IPF fairly quickly.

IPF works by processing a rules file. The rules file is a text file of conditions and actions for IPF to take when those conditions come to pass, for example blocking packets, letting packets through, and logging them. Set up IPF's rules file for blocking, passing, and logging based upon the criteria you want to employ. For example, say you don't want TCP packets coming in. You would edit the ipf.rules file by entering the following line of text:

block in on ed0 proto tcp from any to any

If you wanted the above to block only one port (say *.514), you would change the text to read:

block in on ed0 proto tcp from any to any port = 514.

Fiddle with the file, blocking and unblocking ports until you have a tight system from which you can still run the transactions you need. It is generally a good idea to start off your rules file with a command to block all ports. That way, any port that doesn't have a rule expressly attributed to it is covered by the first rule, and is blocked.

IPF is quite powerful, and it's a good idea to become well-acquainted with it. More in-depth information can be found at http://coombs.anu.edu.au/ipfilter.

SSH and Kerberos

Two things that I haven't touched on in this article are SSH and Kerberos. That has been done on purpose, as there is very little to be done with either of them for a home or standalone system set-up. SSH comes as part of the standard installation and is an extremely effective tool for keeping your system tight. For our purposes, you won't need to change the configuration. Just be serene in the knowledge that it's running and it has your safety in mind. Accordingly, you don't need to run services like rsh, telnet, rlogin, or ftp. They represent unneeded security risks, so unless you expressly need one of them for something, shut them down.

Kerberos uses a client/server setup, and you would only worry about Kerberos if you were on a network that uses the protocol. Since we're securing a home machine, we'll leave Kerberos alone.

Take it to the Bone

These solutions are not the be-all, end-all secret to how to secure your home system from a brilliant hacker, but they do form a solid foundation from which you can do further research into the methods and tools available to secure your computer. If you want to read further, check out the IP FilterFAQ at http://coombs.anu.edu.au/ipfilter/ipfilfaq.html, or read O'Reilly's Practical UNIX & Internet Security by Garfinkel and Spafford.

Whether or not you decide to delve into the deep, dark depths of computer security, a basic knowledge will still help you understand the basics. Basic knowledge will at least let you understand the theory behind a security breach that might nail your machine, and understanding will hand you the keys you need to get the problem fixed. Computer security doesn't have to be scary, indeed, it can even sometimes be fun. Getting caught unawares by a cracker, on the other hand, can cause you immeasurable pain.


Jesse Corbeil is the Director of Documentation at SecureOps, a network security consulting firm in Montréal, Canada. He has written for beoscentral.com and several other information sites, and is involved in the Marathon Open Source project.

 

Community Search:
MacTech Search:

Software Updates via MacUpdate

Adobe Audition CC 2018 11.0.1 - Professi...
Audition CC 2018 is available as part of Adobe Creative Cloud for as little as $19.99/month (or $9.99/month if you're a previous Audition customer). Adobe Audition CC 2018 empowers you to create and... Read more
Adobe After Effects CC 2018 15.0.1 - Cre...
After Effects CC 2018 is available as part of Adobe Creative Cloud for as little as $19.99/month (or $9.99/month if you're a previous After Effects customer). The new, more connected After Effects CC... Read more
Adobe Premiere Pro CC 2018 12.0.1 - Digi...
Premiere Pro CC 2018 is available as part of Adobe Creative Cloud for as little as $19.99/month (or $9.99/month if you're a previous Premiere Pro customer). Adobe Premiere Pro CC 2018 lets you edit... Read more
Adobe Photoshop CC 2018 19.1 - Professio...
Photoshop CC 2018 is available as part of Adobe Creative Cloud for as little as $19.99/month (or $9.99/month if you're a previous Photoshop customer). Adobe Photoshop CC 2018, the industry standard... Read more
Spotify 1.0.69.336. - Stream music, crea...
Spotify is a streaming music service that gives you on-demand access to millions of songs. Whether you like driving rock, silky R&B, or grandiose classical music, Spotify's massive catalogue puts... Read more
rekordbox 5.1.1.0001 - Professional DJ m...
rekordbox is the best way of preparing and managing your tracks, be it at home, in the studio, or even on the plane! It allows you to import music from other music-management software using the... Read more
Mactracker 7.7.1 - Database of all Mac m...
Mactracker provides detailed information on every Mac computer ever made, including items such as processor speed, memory, optical drives, graphic cards, supported OS X versions, and expansion... Read more
Printopia 3.0.6 - Share Mac printers wit...
Run Printopia on your Mac to share its printers to any capable iPhone, iPad, or iPod Touch. Printopia will also add virtual printers, allowing you to save print-outs to your Mac and send to apps.... Read more
Luminar 2018 1.1.0 - Powerful, adaptive,...
Luminar 2018 is the new full-featured image editor that adapts to the way you edit photos. Over 300 essential tools to fix, edit, and enhance your photos with comfort. The future of photo editing is... Read more
Opera 50.0.2762.67 - High-performance We...
Opera is a fast and secure browser trusted by millions of users. With the intuitive interface, Speed Dial and visual bookmarks for organizing favorite sites, news feature with fresh, relevant content... Read more

Latest Forum Discussions

See All

Jydge hints, tips, and tricks - Everythi...
Just released on iOS, Jydge is a prequel to Neon Chrome and is set in the same universe. Not just that, but the games play in pretty similar ways with them both being twin stick shooters full of surprises. As you might expect from a 10tons game,... | Read more »
World of Warships Blitz: A guide to tact...
Ahoy mates! It's time to set out on the high seas for some PvP battles, and ... sorry, actually, World of Warships Blitz has nothing to do with pirates. Let's start over. [Read more] | Read more »
Around the Empire: What have you missed...
Around this time every week we're going to have a look at the comings and goings on the other sites in Steel Media's pocket-gaming empire. We'll round up the very best content you might have missed, so you're always going to be up to date with the... | Read more »
Everything about Hero Academy 2: Part 4...
In this part of our Hero Academy 2 guide, we're going to have a look at some of the tactics you're going to need to learn if you want to rise up the ranks. We're going to start off slow, then get more advanced in the next section. [Read more] | Read more »
All the best games on sale for iPhone an...
Another week has flown by. Sometimes it feels like the only truly unstoppable thing is time. Time will make dust of us all. But before it does, we should probably play as many awesome mobile videogames as we can. Am I right, or am I right? [Read... | Read more »
The 7 best games that came out for iPhon...
Well, it's that time of the week. You know what I mean. You know exactly what I mean. It's the time of the week when we take a look at the best games that have landed on the App Store over the past seven days. And there are some real doozies here... | Read more »
Popular MMO Strategy game Lords Mobile i...
Delve into the crowded halls of the Play Store and you’ll find mobile fantasy strategy MMOs-a-plenty. One that’s kicking off the new year in style however is IGG’s Lords Mobile, which has beaten out the fierce competition to receive Google Play’s... | Read more »
Blocky Racing is a funky and fresh new k...
Blocky Racing has zoomed onto the App Store and Google Play this week, bringing with it plenty of classic kart racing shenanigans that will take you straight back to your childhood. If you’ve found yourself hooked on games like Mario Kart or Crash... | Read more »
Cytus II (Games)
Cytus II 1.0.1 Device: iOS Universal Category: Games Price: $1.99, Version: 1.0.1 (iTunes) Description: "Cytus II" is a music rhythm game created by Rayark Games. It's our fourth rhythm game title, following the footsteps of three... | Read more »
JYDGE (Games)
JYDGE 1.0.0 Device: iOS Universal Category: Games Price: $4.99, Version: 1.0.0 (iTunes) Description: Build your JYDGE. Enter Edenbyrg. Get out alive. JYDGE is a lawful but awful roguehate top-down shooter where you get to build your... | Read more »

Price Scanner via MacPrices.net

Where to buy 13″ Apple MacBook Pros for up to...
B&H Photo has 13″ MacBook Pros on sale for $100 off MSRP. Shipping is free, and B&H charges sales tax for NY & NJ residents only: – 13-inch 2.3GHz/128GB Space Gray MacBook Pro (MPXQ2LL/A... Read more
Apple Refurbished 2017 iMacs available starti...
Apple has a full line of Certified Refurbished iMacs available for up to $350 off original MSRP. Apple’s one-year warranty is standard, and shipping is free. The following models are available: – 27... Read more
Apple offers clearance 2016 13-inch MacBook A...
Apple has Certified Refurbished 2016 13″ MacBook Airs available starting at $809. An Apple one-year warranty is included with each MacBook, and shipping is free: – 13″ 1.6GHz/8GB/128GB MacBook Air: $... Read more
Clearance Apple refurbished iMacs available s...
Apple has previous-generation Certified Refurbished 2015 21″ & 27″ iMacs available starting at $849. Apple’s one-year warranty is standard, and shipping is free. The following models are... Read more
How to save $150-$420 on the purchase of a 20...
B&H Photo has 15″ MacBook Pros on sale for up to $200 off MSRP. Shipping is free, and B&H charges sales tax for NY & NJ residents only: – 15″ 2.8GHz Touch Bar MacBook Pro Space Gray (... Read more
How to save $100-$180 on the purchase of a 20...
B&H Photo has 13″ MacBook Airs on sale for $50-$120 off MSRP. Shipping is free, and B&H charges sales tax for NY & NJ residents only: – 13″ 1.8GHz/128GB MacBook Air (MQD32LL/A): $899, $... Read more
Save on Beats: $30-$80 off headphones, earpho...
Walmart has Beats by Dr. Dre on sale on their online store for $30-$80 off MSRP, depending on the item: – Powerbeats3 Wireless Earphones: $134, save $65 – BeatsX Earphones: $109, save $40 – Beats... Read more
Deals on clearance 15″ Apple MacBook Pros wit...
B&H Photo has clearance 2016 15″ MacBook Pros available for up to $800 off original MSRP. Shipping is free, and B&H charges NY & NJ sales tax only: – 15″ 2.7GHz Touch Bar MacBook Pro... Read more
Apple restocked Certified Refurbished 13″ Mac...
Apple has restocked a full line of Certified Refurbished 2017 13″ MacBook Airs starting at $849. An Apple one-year warranty is included with each MacBook, and shipping is free: – 13″ 1.8GHz/8GB/128GB... Read more
How to find the lowest prices on 2017 Apple M...
Apple has Certified Refurbished 13″ and 15″ 2017 MacBook Pros available for $200 to $420 off the cost of new models. Apple’s refurbished prices are the lowest available for each model from any... Read more

Jobs Board

*Apple* Solutions Consultant - Apple (United...
# Apple Solutions Consultant Job Number: 113384559 Brandon, Florida, United States Posted: 10-Jan-2018 Weekly Hours: 40.00 **Job Summary** Are you passionate about Read more
Security Engineering Coordinator, *Apple* R...
# Security Engineering Coordinator, Apple Retail Job Number: 113237456 Santa Clara Valley, California, United States Posted: 18-Jan-2018 Weekly Hours: 40.00 **Job Read more
*Apple* Data Center Site Selection and Strat...
# Apple Data Center Site Selection and Strategy Research Analyst Job Number: 83708609 Santa Clara Valley, California, United States Posted: 18-Jan-2018 Weekly Hours: Read more
Engineering Manager - *Apple* TV - Apple (U...
# Engineering Manager - Apple TV Job Number: 113305053 Santa Clara Valley, California, United States Posted: 05-Dec-2017 Weekly Hours: 40.00 **Job Summary** The Read more
AppleCare Support Engineer for *Apple* Medi...
# AppleCare Support Engineer for Apple Media Products Job Number: 113222855 Santa Clara Valley, California, United States Posted: 14-Nov-2017 Weekly Hours: 40.00 Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.