“The security systems have to win every time, the attacker only has to win once.”
- Dustin Dykes
[Bonus material is available for some items. Use this link to show all “Bonus Material” { + } ]If you have not yet had a chance to securely configure your Mac OS X system to meet the campus Cyber Safety Program policy requirements, you may find this Quick-Click Guide useful.
Another source that may provide a useful example of how to introduce your users to computer security is my podcast: Secure Your Computer Now.
This note describes Mac OS X configuration settings for Cyber Safety Program compliance. It is terse and bare-bones, but it does give you a recipe of things to click and check.
Systems should remain isolated from the operational network until they are
completely and securely configured whenever possible;
use of an isolated test network is recommended for installation and configuration.
The U.S Computer Emergency Readiness Team (US-CERT) site contains an excellent document describing steps you should take before you connect a computer to the Internet. The page contains configuration information for both Windows XP and Mac OS X users.
http://www.us-cert.gov/reading_room/before_you_plug_in.html/
Date & Time preferences should be set to use a network time server to ensure correct time entries in the audit logs.
NOTE: This is a per-user setting. To make it a global setting, you will need to set up a login hook as described in the advanced security section at the end of this document.
[Bonus material is available for this item. Use this link to show all “Bonus Material” { + } ]
NOTE: The Remote Login service allows users to access the machine remotely. And so, it provides a means for unauthorized users to access the machine remotely. If it is operationally ncessary to run Remote Login/SSH, then altering the default settings is recommended. (See Remote Login in the advanced section below.)
The following only works on Mac OS X 10.4 (Tiger) and later.
/usr/bin/pwpolicy -a `whoami` -setglobalpolicy "usingHistory=10 minChars=12 requiresAlpha=1 requiresNumeric=1 passwordCannotBeName=1 maxFailedLoginAttempts=10"
Note: A user who gets maxFailedLoginAttempts will disappear from the login screen if you are using the icon display. They will need to be re-enabled with:
pwpolicy -a `whoami` -u shortusername -enableuserSimilarly, you can disable logins for a user, leaving their files intact for later reuse, and removing their name and icon from the icon-view login window, with:
pwpolicy -a `whoami` -u shortusername -disableuserSee: man pwpolicy for more details on what each option does.
Why do I need a long password?
Remember in my CyberSafety talk I described how, if a hacker had access to your encrypted password (called a password “hash"), that they could crack any arbitrary 8-character password (and 14-character LanManager passwords) in about a minute?
Well they've upgraded their hardware and shortened the average time to 0.08 seconds.
Here's some boasting from their website:
"Pre-computed hash tables are files that include every possible hash,
along with it's plaintext, this is much quicker than a simple brute force,
and much more thorough than a dictionary attack... We have developed a
unique solution for our customers that dramatically speeds up the
dictionary process. Your hashes are automatically checked against our
dictionary, at an average of .08 seconds per hash!"
So passwords are pointless?
No, they just need to be longer10 characters is a start, 12 characters long is better.
Cracking a 12-character password could require as much as 260,000,000 times the resources as an 8 character password.
And here's an article about it (Thanks, Sherie):
NEW SERVICE CRACKS PASSWORDS
The Register, November 10, 2005
Entire article: http://www.theregister.co.uk/2005/11/10/password_hashes/Summary: Three computer hackers have set up a Web site that offers accessfor a feeto so-called rainbow tables, which are said to allow cracking of most passwords. Computers use codes, or hashes, to conceal user passwords. The creators of the RainbowCrack Online Web site spent two years generating hashes for virtually all possible passwords and storing them in vast tables. With the tables, breaking a password becomes as simple as looking up the hashes and working backwards to the password. Developers of RainbowCrack said the service is not intended for malicious uses but as a tool for network administrators to improve the security of their systems. Security expert Bruce Schneier disagreed, saying he doesn't see any “legitimate business demand” for the service. Philippe Oechslin of Swiss firm Objectif Securite said that system designers can easily incorporate elements into password schemes that add sufficient complexity as to make rainbow tables ineffective in cracking passwords. Schneier said that although such changes are not difficult, very few systems are designed to use them. “A lot of systems are weak,” he said.
Here's another article about password strength.
Before you install Sophos Anti-Virus you NEED to uninstall any existing Anti-Virus software and reboot!
Applications => Symantec Solutions => Symantec Uninstaller
The Symantec uninstall utility is also available on recent versions of the UC Davis Internet Tools CD as well as directly from Symantec's support site:
NOTE: If the Symantec Uninstaller reports that there is nothing to uninstall, but you know it is installed, e.g. can see Symantec AntiVirus in the Symantec Solutions folder, you will need to reinstall Symantec AntiVirus and then run the uninstaller again (sheesh!).
http://xbase.ucdavis.edu/itexpress/?f=art&art=1463
Select Open Sophos Anti-Virus... from the black Sophos shield in the menu bar at the top of your screen.
Select the drive(s) you want to scan (so that the little dot to the left of the drive name is green and bright
), and click the green start button.
[The Trojans material is available as Bonus Material. Use this link to show all “Bonus Material” { + } ]
Few spyware programs that affect Mac OS X have yet been identified (as of Wednesday, June 15th, 2016). Hence, there currently are only a very small number of bona fide Macintosh products that claim to eradicate it.
If you are running a Mac (with no Windows or BootCamp partitions) then you do not need Anti-Spyware.
-->
Don’t know if you are running an Open Email Relay? If you are running a mail relay, it would be because you had set one up, and presumable you would know about it. Or a hacker could have broken into your machine and set one up. Here’s a way to check if your machine is running a mail server on the standard smtp port.
telnet `uname -n` smtp
Trying 62.210.77.51... telnet: connect to address 62.210.77.51: Connection refused telnet: Unable to connect to remote host
Trying 62.210.77.51... telnet: connect to address 62.210.77.51: Operation timed out telnet: Unable to connect to remote host
In either case, you’re probably good. (For now.)
Don’t know if you are running an Proxy Server? If you are running a proxy server, it would be because you had set one up, and presumable you would know about it. Or a hacker could have broken into your machine and set one up.
If you have not set one up, if your firewall is enabled, and if "Personal Web Sharing” is not enabled in the firewall (see Sharing/Firewall section above), then you are probably OK.
[Bonus material is available for this item. Use this link to show all “Bonus Material” { + } ]
In Mac OS X 10.3 (Panther):
In Mac OS X 10.4 (Tiger):
A padlock icon will appear in the menu bar with options to lock the scress and/or your keychain. You can use the Lock Screen option to lock your screen immediately before you step away from your computer.
The Keychain Acess application also allows individual access controls to be placed on keys in the keychain. If you have keys that grant access to particularly sensitive information, I recommend that the access control for that key be changed to "Ask for keychain password."
To configure this for a key:
The U.S Computer Emergency Readiness Team (US-CERT) site contains an excellent page designed to help you configure your web browser for safer internet surfing. It is written for home computer users, students, and business workers. The page contains configuration information for both Windows and Macintosh users, with instructions for all the major web browsers.
http://www.us-cert.gov/reading_room/securing_browser/
The U.S Computer Emergency Readiness Team (US-CERT) site contains a variety of excellent publications and pages where you can learn more about computer and workplace security.
http://www.us-cert.gov/reading_room/
http://docs.info.apple.com/article.html?artnum=108009
A Symantec posting, concerning the “Mac OS X Archive Metadata Command Execution Vulnerability,” at
http://securityresponse.symantec.com/avcenter/security/Content/16736.html
has the following recommendations:
Most of the remaining items in the policy require inspection of
files, behavior modification, or individual policy decisions that are
beyond the scope of this “Quick-Click” Guide.Additional information and discussion of these issues can be found at:
Disclaimer This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing these recommendations to address local operational and policy concerns.
The default umask on Mac OS X systems is 022; this means that be default all users are granted read access to all newly created files. One recommendation is that this be changed to 077 so that only the creator has access to the file. In Mac OS X the umask value must be specified in decimal; the octal value 077 is decimal 63. To change the default umask value:
/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences NSUmask 63
/usr/bin/sudo /bin/chmod 644 /Library/Preferences/.GlobalPreferences.plist
To return the umask value to the default setting of 022, use the following command:
/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences NSUmask 18(the octal value 022 is decimal 18)
The Remote Login service allows users to access the machine remotely using SSH. The service should be disabled if not required because it also provides a means for unauthorized users to access the machine remotely. If it is operationally ncessary to run Remote Login/SSH, then altering the default settings is recommended.
Versions
The default installation of OpenSSH allows both SSH version 1 and version 2 connections. Version 1 suffers from security vulnerabilities. I recommend that only version 2 be used. To disable version 1 connections, edit the file /etc/sshd_config and change the line that starts with:
#Protocol 2,1
to:
Protocol 2
/usr/bin/sudo /usr/bin/vi /etc/sshd_config
Connections
NOTE: xinetd was dropped in Mac OS X 10.5 (Leopard) The Apple Developer site on Getting Started with launchd notes the following about Migrating from xinetdBy default, xinetd and ssh accept connections from all hosts. To change this behavior, add the line
The main thing to keep in mind when migrating from xinetd is the InetdCompatibility key. Most of the service restrictions traditionally imposed from xinetd can be implemented through launchd. The most important exception is the only_from field in xinetd.conf files, which launchd doesn't implement. If you need to restrict the source addresses of internet service connections, use the standard Mac OS X Firewall service. Services run by xinetd are always run on demand.So the following instructions to configure only_from will NOT work in Mac OS X 10.5 and later.
only_from =to the configuration options. This will deny access to all hosts by default, unless specifically permitted. To acomplish this edit or create the file /etc/xinetd.conf so that it looke like:
# man xinetd.conf for more information
defaults
{
instances = 60
log_type = SYSLOG daemon
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
per_source = 10
only_from =
}
includedir /etc/xinetd.d
/usr/bin/sudo /usr/bin/vi /etc/xinetd.conf
only_from = 62.210.77.0
(using the appropriate numbers and syntax for your netowrk). For example, edit or crete the file /etc/xinetd.d/ssh so that it look like:
service ssh
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/libexec/sshd-keygen-wrapper
server_args = -i
groups = yes
flags = REUSE
session_create = yes
only_from = 62.210.77.0
}
/usr/bin/sudo /usr/bin/vi /etc/xinetd.d/ssh
Set the ownership and protection for these updated files with:
/usr/bin/sudo /usr/sbin/chown root:wheel /etc/xinetd.conf /usr/bin/sudo /bin/chmod 444 /etc/xinetd.conf /usr/bin/sudo /usr/sbin/chown root:wheel /etc/xinetd.d/ssh /usr/bin/sudo /bin/chmod 444 /etc/xinetd.d/ssh
You need to restart the xinetd proccess to have the changes to the configuration files take effect.
To reset the xinetd process open a terminal window, paste in the following command, and press the return key.
/usr/bin/sudo /bin/kill -HUP `cat /var/run/xinetd.pid`
On the other hand, if for some bizarre operational requirement you need to keep SSH open to the world and you're are getting lots of these in your logs:myhost sshd[9987]: error: PAM: Authentication failure for admin from a.b.c.d myhost sshd[9987]: error: PAM: Authentication failure for guest from a.b.c.d myhost sshd[9987]: error: PAM: Authentication failure for root from a.b.c.d myhost sshd[9987]: error: PAM: Authentication failure for webmaster from a.b.c.dThen think about the following:But as you can see, there a couple of minor flaws or considerations with this technique...Thomas Knox writes: Date: March 6, 2006 6:42:58 AM PST Subject: Re: Mac OS X hacked under 30 minutes If you do have SSH on your Mac open to the world, here's a short script I hacked up to at least stop script kiddies from hammering SSH with dictionary attacks (or other BFMI attacks) against your system: #!/bin/bash /usr/bin/tail -f /private/var/log/system.log | \ /usr/bin/grep Failed\ password | /usr/bin/grep illegal\ user | \ /usr/bin/awk '{system("/sbin/route add " $13 " 127.0.0.1")}' Just nohup it into the background as root when you boot the system, and make sure that it gets re-started when your system.log file is rotated. Tom
Global (computer-wide) setup to “Require password to wake this computer from sleep or screen saver"
The challenge: Apple considers this to be a user level setting. The preference is stored in the ByHost folder of the user’s ~/Library/Preferences in a plist file that is named in a machine-specific way by built-in ethernet hadrware address. For example:
com.apple.screensaver.aa0004005364.plist
To force this setting to apply to all users of a machine, you can setup a “login hook". If you don’t know what that is, talk to your system administrator before proceding...
NOTE: The command “/usr/bin/sudo /usr/bin/defaults write...” used in the instructions below only works in Mac OS X 10.4 (Tiger) and later. For instructions for enabling a login hook in 10.2 and 10.3, and 10.4.2 and later, see: http://docs.info.apple.com/article.html?artnum=301446
You should study and understand what these files do before implementing this. Here are the commands (adapt this for your own site.)
/usr/bin/sudo /bin/mkdir /Library/GEOadmin /usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/geo-sslock.plist -s -o /Library/GEOadmin/geo-sslock.plist /usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/login.hook-geo -s -o /etc/login.hook /usr/bin/sudo /bin/chmod 700 /etc/login.hook # # then you need to modify root's com.apple.loginwindow.plist # not /Library/Preferences/com.apple.loginwindow.plist # /usr/bin/sudo /usr/bin/defaults write /private/var/root/Library/Preferences/com.apple.loginwindow LoginHook /etc/login.hook
[Bonus material is available for this item. Use this link to show all “Bonus Material” { + } ]
This item requires: “A policy has been developed and implemented defining the use, inspection and retention of audit logs.”
The policy is up to you. Here is a link to an article on how to set up a syslog server on a Mac OS X (Tiger) machine.
The article is by AaronAdams on the www.afp548.com web site:Configuring Tiger’s syslogd to accept logs from external devices
Near the end of the article, AaronAdams describes setting up an /etc/daily.local script to keep the log working after the periodic daily script runs. My experience is that you also may need to create /etc/weekly.local and /etc/monthly.local scripts with the same content to keep the log working after the periodic weekly amd periodic monthly scripts run.
To get clients to send log messages to your syslog server you need to add a line to the /etc/syslog.conf configuration file on each client. The line contains two parts: what to log (in terms of facility and severity level) and the destination (where to send the message). Assuming you wanted to send messages of severity *.warning, to your logging host, biglog.example.net you would add a line similar to the following to the /etc/syslog.conf file on each client:
*.warning @mybiglog.example.comBe sure to read the man syslog.conf file for full datails about the severity level and file format. NOTE: This is one of those UN*X configuration files where the action (level and severity) and the destination fields of the configuration line must be separated by a TAB character, not just whitespace.
/usr/bin/sudo /usr/bin/vi /etc/syslog.conf
This is how you would configure other unix and unix-like systems to log to your server, too.
My experience with Mac OS X 10.4.3 is that you may need to create /etc/daily.local, /etc/weekly.local, and /etc/monthly.local scripts with the same content as describe in the article to keep the log working after the periodic daily, periodic weekly, and periodic monthly scripts run.
After making the configuration change to the on the client you will either need to reboot, or restart the syslogd daemon to get the changes to take effect. The easiest way to restart the syslog daemon, assuming you’ve created the /etc/daily.local file, is simply to invoke that file with /usr/bin/sudo. For example:
/usr/bin/sudo /etc/daily.local[Bonus material is available for this item. Use this link to show all “Bonus Material” { + } ]Your syslog server does not need to be a Mac OS X Server machine. Mac OS X (Tiger) client works just as well. You will need to add a firewall entry to allow UDP traffic to reach the server on port 514. You should also realize that without additional configuration your syslog server may be vulnerable to a Denial-of-Service through port 514, or from log file overflow. Plan wisely.
Please send comments, corrections, and suggestions to: epwaterstraat at ucdavis dot edu