Securing your computer: Macintosh Quick-Click Guide

“The security systems have to win every time, the attacker only has to win once.”
          - Dustin Dykes

[minor updates and corrections: Tuesday, February 7th, 2012 11:30:35 AM PST]

[Showing “Bonus Material”, use this link for simple view { – } ]

Another source that may provide a useful example of how to introduce your users to computer security is my podcast: Secure Your Computer Now.

Table of Contents

• System Preferences
• Date & Time
• Accounts
• Security
• Screen Saver
• Software Updates
• Sharing (& Firewall)
• Password Complexity
• Why do I need a long password?
• AntiVirus
• AntiTrojan (?), e.g. OSX/Leap-A
• AntiSpyware
• E-mail Relay
• Proxy Server
• Keychain Access
• Other Safe Computing Practices
• Additional & Advanced Security Settings
  • System default file protection (umask)
  • Remote Login - SSH Options
  • Global Require password to wake this computer from sleep or screen saver
  • Audit Logs
• References

This note describes Mac OS X configuration settings for Cyber Safety Program compliance. It is terse and bare-bones, but it does give you a recipe of things to click and check.

Systems should remain isolated from the operational network until they are completely and securely configured whenever possible; use of an isolated test network is recommended for installation and configuration.

The U.S Computer Emergency Readiness Team (US-CERT) site contains an excellent document describing steps you should take before you connect a computer to the Internet. The page contains configuration information for both Windows XP and Mac OS X users.

   http://www.us-cert.gov/reading_room/before_you_plug_in.html/

Set Up System Preferences  

• Date & Time

  Date & Time preferences should be set to use a network time server to ensure correct time entries in the audit logs.

  1. Open System Preferences and click Date & Time
  2. If settings are dimmed, click the lock icon and type an administrative name and password
  3. Click Date & Time
  4. Select the “Set Date & Time automatically” checkbox. The server should be set to: time.apple.com

  ---

   
• Accounts
  1. Open System Preferences and click Accounts
  2. If settings are dimmed, click the lock icon and type an administrative name and password
  3. Ensure each account has a good password
    see: http://docs.info.apple.com/article.html?artnum=106521
  4. Click Login Options and deselect “Automatically log in as:"
  5. (recommenced) Select the “Name and password” button

  ---

   
• Security
  1. Open System Preferences and click Security
  2. If settings are dimmed, click the lock icon and type an administrative name and password
  3. Select “Require password to wake this computer from sleep or screen saver” checkbox

  NOTE: This is a per-user setting. To make it a global setting, you will need to set up a login hook as described in the advanced security section at the end of this document.

  4. Select the “Disable automatic login” checkbox
  5. Select the “Require password to unlock each secure system preference” checkbox
  6. (Mac OS X 10.4) Select the “Use secure virtual memory” checkbox.

  ---

   
• Screen Saver
  1. Open System Preferences and click Desktop & Screen Saver
  2. If settings are dimmed, click the lock icon and type an administrative name and password
  3. Click the Screen Saver button
  4. Select a screen saver in the list, or select the “Use Random screen saver” checkbox to see a different screen saver each time the screen saver is activated
  5. Drag the “Start Screen saver” slider to choose when the screen saver starts. It's required that this be set to 20 minutes or less by campus policy

  ---

   
• Software Updates
  1. Open System Preferences and click Software Updates
  2. If settings are dimmed, click the lock icon and type an administrative name and password
  3. Click Check for Updates and set the interval to Weekly or Daily
  4. If you have Microsoft Office 2004 installed, launch /Applications/Microsoft AutoUpdate.app, click Automatically and set the interval to Weekly or Daily
  5. If you have other applications that provide security updates, such as Adobe products, configure them to update Weekly or Daily too.

  Blue stuff is for Kengshi and Paul.

  Can be used for lab and office computers that do not have round-the-clock compute jobs running.
  This setup will run Software Update, after 8 AM, and Symantec LiveUpdate, during the noon hour, out of cron jobs.
  Reboot will happen if the update requires it. If a user is logged in, a reboot message will be posted to the screen
  

  ---

  
     # save a copy of existing /etc/crontab and get our additions
  
     /usr/bin/sudo /bin/cp /etc/crontab /etc/crontab.geosaved
     /usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/lab/crontab -s -o /etc/crontab.geoadd
  
     # append crontab.geoadd to the existing /etc/crontab
  
     /usr/bin/sudo /bin/chmod o+w /etc/crontab
     /usr/bin/sudo /bin/cat /etc/crontab.geoadd >> /etc/crontab
     /usr/bin/sudo /bin/chmod o-w /etc/crontab
  
     # make the GEOadmin directory in /Library to hold our scripts and download them
  
     /usr/bin/sudo /bin/mkdir /Library/GEOadmin
     /usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/lab/autoSU.sh         -s -o /Library/GEOadmin/autoSU.sh
     /usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/lab/psuReboot.pl      -s -o /Library/GEOadmin/psuReboot.pl
     /usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/lab/reboot-request.sh -s -o /Library/GEOadmin/reboot-request.sh
  
  
     /usr/bin/sudo /usr/bin/touch /var/log/SU.log
  
     # fix up the permissions
  
     /usr/bin/sudo /usr/sbin/chown -R root:admin /Library/GEOadmin
     /usr/bin/sudo /bin/chmod -R 744 /Library/GEOadmin
  

  ---

  The following command will set Software Update to query the Geology update server instead of Apple’s. (You probably don't want to use this command. Customize for your site.)

    #/usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/lab/com.apple.SoftwareUpdate.plist -s -o /Library/Preferences/com.apple.SoftwareUpdate.plist
  

  The following command will clear the setting.

     /usr/bin/sudo /bin/rm /Library/Preferences/com.apple.SoftwareUpdate.plist
  

   

  ---

• Sharing (& Firewall)
1. Open System Preferences and click Sharing
2. If settings are dimmed, click the lock icon and type an administrative name and password
3. Click Services
4. Turn off (uncheck) all unneeded services in the list
If already enabled by your network administrator, leave the following items enabled (checked):
• Apple Remote Desktop
• Remote Login

NOTE: The Remote Login service allows users to access the machine remotely. And so, it provides a means for unauthorized users to access the machine remotely. If it is operationally ncessary to run Remote Login/SSH, then altering the default settings is recommended. (See Remote Login in the advanced section below.)

(If you don't know what any of the other services do, you probably don't need them, and should disable them.)
5. Click the Firewall button
6. If the Firewall is off, click Start
If already enabled, leave the following items enabled (checked):
• Apple Remote Desktop
• Remote Login
• iChat (there may be several of these)
• Retrospect
• Network Time
(If you don't know what any of the other services do, you probably don't need them, and should disable them.)
7. If you are running Mac OS X 10.4 (Tiger), click the advanced button and enable firewall logging

---

 
• Password Complexity

  The following only works on Mac OS X 10.4 (Tiger) and later.

  1. Log into an administrator account on your computer
  2. Launch Terminal (located in /Applications/Utilities)
  3. Paste the following line into the Terminal window, and then press the return key

     /usr/bin/pwpolicy -a `whoami` -setglobalpolicy "usingHistory=10 minChars=12 requiresAlpha=1 requiresNumeric=1 passwordCannotBeName=1 maxFailedLoginAttempts=10"
  

  4. When prompted, enter your password (this is your local administrator password on your Mac). In typical UNIX fashion, if you get no error message, you can probably assume the command worked.
  5. Type “exit” in the Terminal window and then quit Terminal

     Note: A user who gets maxFailedLoginAttempts will disappear from the login screen if you are using the icon display. They will need to be re-enabled with:

        pwpolicy -a `whoami` -u shortusername  -enableuser
     

     Similarly, you can disable logins for a user, leaving their files intact for later reuse, and removing their name and icon from the icon-view login window, with:

        pwpolicy -a `whoami` -u shortusername  -disableuser
     

     See: man pwpolicy for more details on what each option does.

  ---

    Why do I need a long password?

  Remember in my CyberSafety talk I described how, if a hacker had access to your encrypted password (called a password “hash"), that they could crack any arbitrary 8-character password (and 14-character LanManager passwords) in about a minute?

  Well they've upgraded their hardware and shortened the average time to 0.08 seconds.

  Here's some boasting from their website:

  "Pre-computed hash tables are files that include every possible hash,
  along with it's plaintext, this is much quicker than a simple brute force,
  and much more thorough than a dictionary attack... We have developed a
  unique solution for our customers that dramatically speeds up the
  dictionary process. Your hashes are automatically checked against our
  dictionary, at an average of .08 seconds per hash!"
  

  So passwords are pointless?

  No, they just need to be longer—10 characters is a start, 12 characters long is better.

  Cracking a 12-character password could require as much as 260,000,000 times the resources as an 8 character password.

  And here's an article about it (Thanks, Sherie):

  ---

  NEW SERVICE CRACKS PASSWORDS
  The Register, November 10, 2005
  Entire article: http://www.theregister.co.uk/2005/11/10/password_hashes/
  

  Summary: Three computer hackers have set up a Web site that offers access—for a fee—to so-called rainbow tables, which are said to allow cracking of most passwords. Computers use codes, or hashes, to conceal user passwords. The creators of the RainbowCrack Online Web site spent two years generating hashes for virtually all possible passwords and storing them in vast tables. With the tables, breaking a password becomes as simple as looking up the hashes and working backwards to the password. Developers of RainbowCrack said the service is not intended for malicious uses but as a tool for network administrators to improve the security of their systems. Security expert Bruce Schneier disagreed, saying he doesn't see any “legitimate business demand” for the service. Philippe Oechslin of Swiss firm Objectif Securite said that system designers can easily incorporate elements into password schemes that add sufficient complexity as to make rainbow tables ineffective in cracking passwords. Schneier said that although such changes are not difficult, very few systems are designed to use them. “A lot of systems are weak,” he said.

  ---

   

  Here's another article about password strength.

  ---

Anti-Virus

• Before You Install Sophos AntiVirus

  Before you install Sophos Anti-Virus you NEED to uninstall any existing Anti-Virus software and reboot!

  • To Uninstall Sophos Anti-Virus for either platform. see this link:

        http://xbase.ucdavis.edu/2135

  • To Uninstall Symantec AV for Mac OS X, you need to run the Symantec (or Norton) uninstall utility. On your computer's hard disk, the path to the Uninstall program is:

        Applications => Symantec Solutions => Symantec Uninstaller

    The Symantec uninstall utility is also available on recent versions of the UC Davis Internet Tools CD as well as directly from Symantec's support site:

        http://service1.symantec.com/SUPPORT/num.nsf/docid/2002110814042611/Applications/Symantec Solutions/Symantec Uninstaller

    NOTE: If the Symantec Uninstaller reports that there is nothing to uninstall, but you know it is installed, e.g. can see Symantec AntiVirus in the Symantec Solutions folder, you will need to reinstall Symantec AntiVirus and then run the uninstaller again (sheesh!).

  • To Uninstal Symantec AV for Windows, see this link:

        http://xbase.ucdavis.edu/itexpress/?f=art&art=1463

• Install Sophos AntiVirus
  1. Log into the campus software website at http://software.ucdavis.edu

  2. Select Anti-Virus from the list on the left side of the page

  3. Click Anti-Virus for Univeristy Use Only: Forefront and Sophos

  4. Download Sophos for Mac

  5. Double click the “Sophos_Mac_Anti-Virus.zip” icon

  6. Double click the “Sophos Anti-Virus.mpkg” icon

  7. Install Sophos Anti-Virus

  8. Authenticate as an administrator, when prompted

  9. Close the installer when finished

  Open the Sophos item in System Preferences and set preferences appropriately.
  10. From the black Sophos shield in the Menu Bar, select “Update Now”

  11. When the update finishes, you may close the AutoUpdate Status window

  12. Restart your computer

  13. Log back in

  14. The next, and final, step is to do a full scan of your computer.

      Select Open Sophos Anti-Virus... from the black Sophos shield in the menu bar at the top of your screen.

      Select the drive(s) you want to scan (so that the little dot to the left of the drive name is green and bright ), and click the green start button.

  15. ... go do something useful until it is done.

  16. Also, take a look at: What setting should I use in Sophos Anti-Virus for dealing with threats?

  ---

   
• Trojans — OSX/Leap-A-style Trojan protection

[Showing “Bonus Material”, use this link for simple view { – } ]

The OSX/Leap-A trojan seems not nearly as threatening as is one of the features used in its execution—placing code in an admin- or user-writable InputMethods folder whose contents will be loaded by each Cocoa application as it launches. The Macintosh Daily Journal (2006.02.19) notes:

None of these folders exist by default on a standard Mac OS X system, but just about any application can create them.... Any program you run can, at any time, create “~/Library/InputManagers” and add a code bundle to it. Furthermore, any admin user can create “/Library/InputManagers” and add code files to it that, after that point, will load into every Cocoa application that any user launches.

Until Apple releases a patch or remedy for this situation you might want to implement your own protection as outlined in the following command set.

The following commands may be useful in keeping malware, such as the OSX/Leap-A trojan from installing InputManager bundles without first seeking permission. The code preemptively creates the InputManagers directories and sets the ownership and protection so that they are not easily writable. This method builds from information supplied by Rob Griffiths in an article at MacWorld:

   http://www.macworld.com/news/2006/02/16/leapafaq/index.php

Caveat: My code here has only been tested in my own environment and may not be the right solution for everyone. To quote Matt Deatherage, “If you want to write system-wide rules or policies, you have to try your hardest to imagine what they'll do for *everyone* who has to use the system—not just you and people with your skill level.” Make sure you know what you are doing.

Do I recommend doing this on all of your systems?   No!    I recommend evaluating your operating enviroinment and assessing if something like this is apprpoiate.

BTW, these commands are designed to be run in a bash shell window.

---

#
# change the permissions on the system-wide /Library/InputManagers directory
#
   /usr/bin/sudo /bin/mkdir -pv /Library/InputManagers 
   /usr/bin/sudo /usr/sbin/chown root:admin /Library/InputManagers
   /usr/bin/sudo /bin/chmod 544 /Library/InputManagers
   /usr/bin/sudo /usr/bin/chflags uchg /Library/InputManagers
#
# and do the same for all the user-specific directories in /Users
# but first, guarantee we're using bash so the for;do;done sequence works
#
   /bin/bash  
   for eachuser in `/bin/ls /Users`
   do
      if [  == 'Shared' ]
      then
         echo Skipping: 
         echo ----
      else
         echo Changing: /Users//Library/InputManagers...
         /usr/bin/sudo /bin/mkdir -pv /Users//Library/InputManagers 
         /usr/bin/sudo /usr/sbin/chown root:admin /Users//Library/InputManagers
         /usr/bin/sudo /bin/chmod 544 /Users//Library/InputManagers
         /usr/bin/sudo /usr/bin/chflags uchg /Users//Library/InputManagers
         echo Modified: /Users//Library/InputManagers
         echo ----
      fi
   done
   exit
#
# do the same for your own user-specific directory
#   Only need this if your home directory is in NOT /Users...
#   ( may get failures on the following if your home directory IS in /Users 
#     but that is only because it is now protected. )
#
   /bin/mkdir -pv ~/Library/InputManagers 
   /usr/sbin/chown root:admin ~/Library/InputManagers
   /usr/bin/sudo /bin/chmod 544 ~/Library/InputManagers
   /usr/bin/sudo /usr/bin/chflags uchg ~/Library/InputManagers
#

---

John C. Welch adds “If you want to be REALLY paranoid, use schg [instead of uchg in the chflags command], and you can only undo that in single user mode.”

As noted in Rob’s article, “...your InputManagers folder is now effectively blocked from access—by Leap-A, or any other piece of code that wants to place something there. If you plan on installing add-ons such as SafariStand or Sogudi for Safari, or Chax for iChat, you’ll need to temporarily return this folder to your ownership to do so.” See Rob’s article for instructions on how to do this.

---

Other Issues

 
• Anti-Spyware

  Few spyware programs that affect Mac OS X have yet been identified (as of Tuesday, February 7th, 2012). Hence, there currently are only a very small number of bona fide Macintosh products that claim to eradicate it.

  If you are running a Mac (with no Windows or BootCamp partitions) then you do not need Anti-Spyware.

  -->

  ---

   
• No Open Email Relays

  Don’t know if you are running an Open Email Relay? If you are running a mail relay, it would be because you had set one up, and presumable you would know about it. Or a hacker could have broken into your machine and set one up. Here’s a way to check if your machine is running a mail server on the standard smtp port.

  1. Launch Terminal (located in /Applications/Utilities)
  2. Paste the following line into the Terminal window, and then press the return key

     telnet `uname -n` smtp
  

  3. You should see something like the following “Connection refused” message right away, indicating that no service is running on port 25:

        Trying 50.16.132.180...
        telnet: connect to address 50.16.132.180: Connection refused
        telnet: Unable to connect to remote host
     

  4. If your firewall is set to “Stealth Mode” you will get a “Trying address..." message right away, but the connection will take a while to timeout. After about a minute, instead of connection refused. you will get an “Operation timed out” message, such as:

        Trying 50.16.132.180...
        telnet: connect to address 50.16.132.180: Operation timed out
        telnet: Unable to connect to remote host
     

     In either case, you’re probably good. (For now.)

  5. If you get a “Connected to hostname” message, you’ve got a problem, see your system administrator right away!

  ---

   
• Proxy Server

  Don’t know if you are running an Proxy Server? If you are running a proxy server, it would be because you had set one up, and presumable you would know about it. Or a hacker could have broken into your machine and set one up.

  If you have not set one up, if your firewall is enabled, and if "Personal Web Sharing” is not enabled in the firewall (see Sharing/Firewall section above), then you are probably OK.

  Lookinng for a tool to check your network for open proxies? Check out (at your own risk):

      http://www.corpit.ru/mjt/proxycheck.html

  ---

   
• Keychain access

In Mac OS X 10.3 (Panther):

1. Launch /Applications/Utilities/Keychain Access.app
2. from the View menu, select the “Show Status in Menu Bar” item
3. Quit Keychain Access

In Mac OS X 10.4 (Tiger):

1. Launch /Applications/Utilities/Keychain Access.app
2. Select Preferences from the Keychain Acess menu
3. Select the “Show Status in Menu Bar” checkbox
4. Click Certificates
5. Select “Best Attempt” for both “Online Certificate Status Protocol” and “Certificate Revocation List”
6. Close Preferences
7. From the Edit menu select “Change Settings for Keychain “login&rduo; ”
8. (optionally) Select the “Lock after 20 minutes of inactivity” checkbox
9. Select the “Lock when sleeping” checkbox
10. Click Save
11. Quit Keychain Access

A padlock icon will appear in the menu bar with options to lock the scress and/or your keychain. You can use the Lock Screen option to lock your screen immediately before you step away from your computer.

The Keychain Acess application also allows individual access controls to be placed on keys in the keychain. If you have keys that grant access to particularly sensitive information, I recommend that the access control for that key be changed to "Ask for keychain password."

To configure this for a key:

1. Launch /Applications/Utilities/Keychain Access.app
2. Double-click on the key you want to change
3. Click “Access Control"
4. Select the “Ask for keychain password” checkbox
5. Click Save
6. Quit Keychain Access

---

Other Safe Computing Practices

• Securing Your Web Browser

The U.S Computer Emergency Readiness Team (US-CERT) site contains an excellent page designed to help you configure your web browser for safer internet surfing. It is written for home computer users, students, and business workers. The page contains configuration information for both Windows and Macintosh users, with instructions for all the major web browsers.

   http://www.us-cert.gov/reading_room/securing_browser/

• Safe Computing

The U.S Computer Emergency Readiness Team (US-CERT) site contains a variety of excellent publications and pages where you can learn more about computer and workplace security.

   http://www.us-cert.gov/reading_room/

• Safety tips for handling email attachments and content downloaded from the Internet

   http://docs.info.apple.com/article.html?artnum=108009

• Symantec Recommendations

A Symantec posting, concerning the “Mac OS X Archive Metadata Command Execution Vulnerability,” at

   http://securityresponse.symantec.com/avcenter/security/Content/16736.html

has the following recommendations:

• Do not accept or execute files from untrusted or unknown sources.
• Do not open files that originate from unknown or untrusted sources, even those considered to be of a safe file type. This will mitigate against this and other latent vulnerabilities.
• Run all software as a non-privileged user with minimal access rights.
• Always perform daily tasks as an unprivileged user with minimal access rights. This will limit the consequences of successful exploitation of this and other latent vulnerabilities.

---

Note:

Most of the remaining items in the policy require inspection of
files, behavior modification, or individual policy decisions that are
beyond the scope of this “Quick-Click” Guide.

Additional information and discussion of these issues can be found at:

    http://security.ucdavis.edu/cybersafety.cfm

Bonus Material:   Additional & Advanced Security Settings

Disclaimer

This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this guide does not address site-specific configuration issues. Care must be taken when implementing these recommendations to address local operational and policy concerns.

---

 
• File System default file protection (umask)

The default umask on Mac OS X systems is 022; this means that be default all users are granted read access to all newly created files. One recommendation is that this be changed to 077 so that only the creator has access to the file. In Mac OS X the umask value must be specified in decimal; the octal value 077 is decimal 63. To change the default umask value:

1. Log into an administrator account on your computer
2. Launch Terminal (located in /Applications/Utilities)
3. Paste the following line into the Terminal window, and then press the return key

   /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences NSUmask 63

4. When prompted, enter your password
5. And paste the following line into the Terminal window, and then press the return key

   /usr/bin/sudo /bin/chmod 644 /Library/Preferences/.GlobalPreferences.plist

6. Type “exit” in the Terminal window and then quit Terminal

---

To return the umask value to the default setting of 022, use the following command:

      /usr/bin/sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences NSUmask 18

  (the octal value 022 is decimal 18)

---

 
• Remote Login - SSH Options

The Remote Login service allows users to access the machine remotely using SSH. The service should be disabled if not required because it also provides a means for unauthorized users to access the machine remotely. If it is operationally ncessary to run Remote Login/SSH, then altering the default settings is recommended.

Versions

The default installation of OpenSSH allows both SSH version 1 and version 2 connections. Version 1 suffers from security vulnerabilities. I recommend that only version 2 be used. To disable version 1 connections, edit the file /etc/sshd_config and change the line that starts with:

    #Protocol 2,1

to:

    Protocol 2

---

/usr/bin/sudo /usr/bin/vi /etc/sshd_config

---

Connections

NOTE: xinetd was dropped in Mac OS X 10.5 (Leopard)

The Apple Developer site on Getting Started with launchd notes the following about Migrating from xinetd

The main thing to keep in mind when migrating from xinetd is the InetdCompatibility key. Most of the service restrictions traditionally imposed from xinetd can be implemented through launchd. The most important exception is the only_from field in xinetd.conf files, which launchd doesn't implement. If you need to restrict the source addresses of internet service connections, use the standard Mac OS X Firewall service. Services run by xinetd are always run on demand.

So the following instructions to configure only_from will NOT work in Mac OS X 10.5 and later.

By default, xinetd and ssh accept connections from all hosts. To change this behavior, add the line

   only_from =

to the configuration options. This will deny access to all hosts by default, unless specifically permitted. To acomplish this edit or create the file /etc/xinetd.conf so that it looke like:

---

# man xinetd.conf for more information

defaults
{
        instances               = 60
        log_type                = SYSLOG daemon
        log_on_success          = HOST PID
        log_on_failure          = HOST
        cps                     = 25 30
        per_source              = 10
        only_from               = 
}

includedir /etc/xinetd.d

---

/usr/bin/sudo /usr/bin/vi /etc/xinetd.conf

---

To permit Remote Login access to ssh from hosts on your subnet, edit or create the file /etc/xinetd.d/ssh to add a new line just after the line “session_create = yes” similar to the following:

   only_from = 50.16.132.0  

(using the appropriate numbers and syntax for your netowrk). For example, edit or crete the file /etc/xinetd.d/ssh so that it look like:

---

service ssh
{
        disable = no
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/libexec/sshd-keygen-wrapper
        server_args     = -i
        groups          = yes
        flags           = REUSE 
        session_create  = yes
        only_from       = 50.16.132.0  
}

---

/usr/bin/sudo /usr/bin/vi /etc/xinetd.d/ssh

---

If present, remove the IPV6 option from the flags = line, as the network specified in the only_from line is in IPV4 syntax.

Set the ownership and protection for these updated files with:

   /usr/bin/sudo /usr/sbin/chown root:wheel /etc/xinetd.conf
   /usr/bin/sudo /bin/chmod 444 /etc/xinetd.conf
   /usr/bin/sudo /usr/sbin/chown root:wheel /etc/xinetd.d/ssh
   /usr/bin/sudo /bin/chmod 444 /etc/xinetd.d/ssh

You need to restart the xinetd proccess to have the changes to the configuration files take effect. To reset the xinetd process open a terminal window, paste in the following command, and press the return key.

   /usr/bin/sudo /bin/kill -HUP `cat /var/run/xinetd.pid`

---

On the other hand, if for some bizarre operational requirement you need to keep SSH open to the world and you're are getting lots of these in your logs:

   myhost sshd[9987]: error: PAM: Authentication failure for admin from a.b.c.d
   myhost sshd[9987]: error: PAM: Authentication failure for guest from a.b.c.d
   myhost sshd[9987]: error: PAM: Authentication failure for root from a.b.c.d
   myhost sshd[9987]: error: PAM: Authentication failure for webmaster from a.b.c.d

Then think about the following:

---

Thomas Knox writes:
Date:    March 6, 2006 6:42:58 AM PST
Subject: Re: Mac OS X hacked under 30 minutes

If you do have SSH on your Mac open to the world, here's a short script I 
hacked up to at least stop script kiddies from hammering SSH with 
dictionary attacks (or other BFMI attacks) against your system:

   #!/bin/bash
   
   /usr/bin/tail -f /private/var/log/system.log | \
       /usr/bin/grep Failed\ password | /usr/bin/grep illegal\ user | \
       /usr/bin/awk '{system("/sbin/route add " $13 " 127.0.0.1")}'

Just nohup it into the background as root when you boot the system, and 
make sure that it gets re-started when your system.log file is rotated.

Tom

---

But as you can see, there a couple of minor flaws or considerations with this technique...

---

 
• Security - Advanced

Global (computer-wide) setup to “Require password to wake this computer from sleep or screen saver"

The challenge: Apple considers this to be a user level setting. The preference is stored in the ByHost folder of the user’s ~/Library/Preferences in a plist file that is named in a machine-specific way by built-in ethernet hadrware address. For example:

   com.apple.screensaver.aa0004005364.plist

To force this setting to apply to all users of a machine, you can setup a “login hook". If you don’t know what that is, talk to your system administrator before proceding...

NOTE: The command “/usr/bin/sudo /usr/bin/defaults write...” used in the instructions below only works in Mac OS X 10.4 (Tiger) and later. For instructions for enabling a login hook in 10.2 and 10.3, and 10.4.2 and later, see: http://docs.info.apple.com/article.html?artnum=301446

You should study and understand what these files do before implementing this. Here are the commands (adapt this for your own site.)

/usr/bin/sudo /bin/mkdir /Library/GEOadmin
/usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/geo-sslock.plist -s -o /Library/GEOadmin/geo-sslock.plist
/usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/login.hook-geo -s -o /etc/login.hook
/usr/bin/sudo /bin/chmod 700 /etc/login.hook
#
# then you need to modify root's com.apple.loginwindow.plist 
# not /Library/Preferences/com.apple.loginwindow.plist
#
/usr/bin/sudo /usr/bin/defaults write /private/var/root/Library/Preferences/com.apple.loginwindow LoginHook /etc/login.hook

---

  Additional lab computer setup:

The release of Mac OS X 10.4.3 contains some new enhancements which should help alleviate some common confusion that results from the Login Window coming up before the network is ready.
Host Information Field

The Host Information field in the Login Window UI displays a number of different bits information such as the System Build, System Version, Host Name (the default), Serial Number, or Time.

In Mac OS X 10.4.3, IP Address and Network Account Status were added. The IP Address is that of the primary interface. If that interface doesn’t have an address the IP Address is not shown.

The Network Account Status provides information about the availability of Network Accounts. The following states are available:


GREEN DOT - Network Accounts Available (I have connectivity to ALL of my remote DS)
YELLOW DOT - Some Network Accounts Available (I have connectivity to some, but not all of my remote DS)
RED DOT - Network Accounts Unavailable (I have no connectivity to ANY remote DS)
Network Access Requires Login (Access to the network requires authentication -- i.e. 802.1x)

An Administrator can specify which field to show when loginwindow UI displays by doing the following:

defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo <desired field>

Where <desired field> is one of the following: HostName, SystemVersion, SystemBuild, SerialNumber, IPAddress, DSStatus, or Time.

Once you have written the default to a sample workstation, you could use the Workgroup Manager preference editor to apply this preference to ANY computer list (including Guest Computers) in your remote Directory Service.

Startup Delay

The startup delay will delay the display of the Login Window UI by the number of seconds specified by the system administrator.

This is done to allow the system time to finish obtaining an IP Address via DHCP and for DS to bind to the servers.

If the Login Window UI detects that the network servers are available when it starts, it will skip the delay.

If the network servers become available before the delay expires, the Login Window UI cancels the delay and displays. An Administrator can specify the startup delay d by doing the following:

defaults write /Library/Preferences/com.apple.loginwindow StartupDelay -int <number of seconds to delay>

Once you have written the default to a sample workstation, you could use the Workgroup Manager preference editor to apply this preference to ANY computer list (including Guest Computers) in your remote Directory Service.

I hope you find these two new enhancements useful in your enterprise deployments.

   /usr/bin/sudo defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo DSStatus

---

Create a login window access warning:

Use the following command to change the login window access warning:

   sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "Warning Text"

Replace Warning Text with your access warning text. For example:

   /usr/bin/sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText "This computer system is for authorized users only and is to be used only for authorized purposes. Consistent with law and university policy, system access may be logged and monitored for security and performance issues. Unauthorized use may subject the user to disciplinary action and/or prosecution."

To create a command-line warning:

   /usr/bin/sudo /usr/bin/curl http://computing.geology.ucdavis.edu/security/motd.txt -s -o /etc/motd

---

 

• II-C Audit Logs

This item requires: “A policy has been developed and implemented defining the use, inspection and retention of audit logs.”

The policy is up to you. Here is a link to an article on how to set up a syslog server on a Mac OS X (Tiger) machine.

The article is by AaronAdams on the www.afp548.com web site:

    Configuring Tiger’s syslogd to accept logs from external devices

Near the end of the article, AaronAdams describes setting up an /etc/daily.local script to keep the log working after the periodic daily script runs. My experience is that you also may need to create /etc/weekly.local and /etc/monthly.local scripts with the same content to keep the log working after the periodic weekly amd periodic monthly scripts run.

To get clients to send log messages to your syslog server you need to add a line to the /etc/syslog.conf configuration file on each client. The line contains two parts: what to log (in terms of facility and severity level) and the destination (where to send the message). Assuming you wanted to send messages of severity *.warning, to your logging host, biglog.example.net you would add a line similar to the following to the /etc/syslog.conf file on each client:

    *.warning	    @mybiglog.example.com

Be sure to read the man syslog.conf file for full datails about the severity level and file format. NOTE: This is one of those UN*X configuration files where the action (level and severity) and the destination fields of the configuration line must be separated by a TAB character, not just whitespace.

---

/usr/bin/sudo /usr/bin/vi /etc/syslog.conf

---

This is how you would configure other unix and unix-like systems to log to your server, too.

My experience with Mac OS X 10.4.3 is that you may need to create /etc/daily.local, /etc/weekly.local, and /etc/monthly.local scripts with the same content as describe in the article to keep the log working after the periodic daily, periodic weekly, and periodic monthly scripts run.

After making the configuration change to the on the client you will either need to reboot, or restart the syslogd daemon to get the changes to take effect. The easiest way to restart the syslog daemon, assuming you’ve created the /etc/daily.local file, is simply to invoke that file with /usr/bin/sudo. For example:

   /usr/bin/sudo /etc/daily.local

Your syslog server does not need to be a Mac OS X Server machine. Mac OS X (Tiger) client works just as well. You will need to add a firewall entry to allow UDP traffic to reach the server on port 514. You should also realize that without additional configuration your syslog server may be vulnerable to a Denial-of-Service through port 514, or from log file overflow. Plan wisely.

---

• Apple’s Common Criteria Configuration and Administration Guide

• A Corsaire White Paper: Securing Mac OS X

• Apple Mac OS X v10.3.x “Panther” Security Configuration Guide by the National Security Agency.

Apple Mac OS X Server v10.3.x “Panther” Security Configuration Guide by the National Security Agency.
• and my own experience and the advice of others.

  Please send comments, corrections, and suggestions to: epwaterstraat at ucdavis dot edu