Mar 23 2007

Cast-Iron Apple

How to Harden OS X

With Apple’s Mac OS X, security is built in by default. But unless users intentionally enable specified network services individually, they remain disabledan established best practice.

Organizations with standard desktop system arrays find the OS X operating system’s default security settings more than adequate. Nevertheless, for users whose systems’ demand higher security controls, OS X can be modified. Although Mac OS X has two interfaces, the graphical user interface is most commonly used for configuration, with the command line available for further tweaking.

Controlling Network Access

Like its Microsoft Windows alternative, OS X comes with a built-in firewall known as ipfw. Under Mac OS X 10.2 and later, one can simply open the System Preferences panel, click on Sharing and then click the Firewall button. There, you can enable or disable firewall features to suit an assortment of needs.

From a security standpoint, logging should be enabled, particularly for users who intend to regularly carry out log audits. Logging allows managers to clearly detail specifics such as what particular events transpired, as well as by whom they were carried out and when. Mac OS X logs data in the /var/log directory by default. To determine whether or not your firewall is logging in the Mac OS X, go to sysctl net.inet.ip.fw.verbose and check the setting. When it is set to 1, logging is enabled. Alternatively, a 0 setting means logging is disabled. To change the setting to enable logging, enter the command: sudo sysctl -w net.inet.ip.fw.verbose=1; to change setting to disable logging, enter: sudo sysctl -w net.inet.ip.fw.verbose=0.

Now that you have logging enabled, you’ll want to review the aforementioned logs for nuggets of information. Go to Applications, then Utilities and click in the Console utility icon. From the File menu, choose the ipfw log (located under /var/log) or any other log you wish to open.


TCP Wrappers

Transmission Control Protocol Wrappers (also known as tcpd) carry out several functions of system security. Mac OS X arrives with TCP Wrappers already installed and users need only edit the configuration files to reap their benefits. Note that even though TCP is built in, it is not enabled — to enable tcpd, enter the commands touch/etc/hosts.allow/etc/hosts.deny to create both /etc/hosts.allow and /etc.hosts.deny configuration files. The usr/libexec/tcpd (wrapper) sends inetd (inet daemon) to the configuration files to request access. Most users prefer to deny any access which is not specifically allowed by adding all:all to the /etc/hosts.deny command.

The TCP Wrapper jumps into action at the initial network connection, accepts the connection for the specified service, then logs the details of the request and/or connection and permits or denies access to the incoming service request according to the access control rules in place. The tcpd can control TCP and User Datagram Protocol-based services and authorizes users from a list of established network users.

Encrypt Files Using FileVault 

FileVault, a built-in Mac OS X feature, uses the 128-bit Advanced Encryption Standard to encrypt (as well as decrypt) data stored in a user’s home folder. FileVault is a preferred location for storing critical data; if your computer is stolen or lost, the encoded data that resides within the home folder remains secure. Users gain access to files only after the system has authenticated them and they have logged on. In that case, the files are automatically unencrypted upon opening. To access FileVault, go to the System Preference tab and click on the Security icon.

Get to the Root of Security 

By default, the root account is disabled without a password within Mac OS X. Users are encouraged to assign a password to the root account as soon as practicable, as failure to do so leaves the system fair game for attackers to access the system and enable the root account. To enable or disable the root account:

1. Go to Finder, select Go, and choose Applications.

2. Open Utilities, then NetInfo Manager.

3. In the NetInfo Manager window, click on the lock.

4. Log in an Admin user name and password, then select OK.

5. Select Security, and Enable Root User.

6. The first time a user selects this prompt, “NetInfo Error” will appear, as a root password has not yet been set and is still blank. Select OK.

7. Enter a strong root password you wish to use and select Set.

8. Re-enter the password and select Verify. Root user is not enabled.

9. Select Security, then Disable Root User to disable.

Freebies that Help

A network intrusion detection system called Snort is available free for Mac OS X. Lightweight and easy to configure (an available GUI utility makes it simple), Snort performs real-time protocol and traffic analyses and can monitor packet-logging on Internet Protocol networks. Like tcpdump, Snort can handle packet-sniffing, but it also can log packet data, a boon for organizations that require traffic debugging. Snort’s plug-in design means there are no command lines to key in or compiling required for configuration; everything is included and preset.

HenWen, a network security package developed by Nick Zitzmannis, lets Mac OS X users configure and run Snort in a snap. HenWen was developed so users could maintain software for scanning undesirable traffic their firewalls might miss. HenWen is available at seiryu.home.comcast.net/henwen.html. Other Snort features include: detection of buffer overflows, Common Gateway Interface attacks, Server Message Block probes, stealth port scans, content searches and matches, and OS fingerprinting probes.

Douglas Schweitzer, A+, Network+, iNet+, CIW, is an Internet security specialist and author of several information security books.