10.4 Tiger
[edit] Mac OS Configuration Guidelines
These are the Case Tier II (and above) baseline configuration guidelines for Mac OS, based on the Center for Internet Security (CIS) templates. They apply to hosts in the Case environment that will be used to process [Tier II and Tier III] (sensitive) university information. Credit goes to Matt Emerson (rme@grc.nasa.gov) for these elements crafted from the CIS baseline.
Tier III baseline will include [Bastille_Linux] lockdown elements
Mac OS X Tiger Level I Security Benchmark
Contents
2. Rules
2.1. Start from a fresh installation of Mac OS X
2.2. Check for software updates regularly
2.3. Enable network time synchronization
2.4. Configure locking screen saver
2.4.1. Require a password to unlock the screen saver
2.4.2. Set the screen saver to appear after a period of inactivity
2.5. Disable automatic login
2.6. Normal use should be as a regular user, not an administrator
2.7. Display login banner
2.8. Leave unused services disabled
2.9. Enable firewall
2.10. Enable remote logging
2.11. Use good passwords
2.12. Find world-writable files
2.13. Encrypt home directory and swap files
2.13.1. Configure FileVault
2.13.2. Configure secure virtual memory
3. Profiles
3.1. Desktop system settings
3.2. Notebook system settings
4. References
[edit] 1. Introduction
This benchmark provides recommendations on security settings for Mac OS X Tiger. The recommendations are aimed at general purpose Mac OS X systems used primarily by a single person in an ordinary office environment. Notebook computers used by travelling users are also covered. Neither servers nor other special-purpose systems are addressed. An important goal of the recommendations is to maintain the unique functionality and ease-of-use of the Macintosh system by using the security features built in to the system by Apple. The security settings are prudent rather than paranoid, and are intended to be applicable to nearly all Mac OS X systems. Note that the default security settings of Mac OS X are quite good. Millions of people use the default installation of Mac OS X on their home computers, and safely connect to the Internet. Extensive configuration is not required to secure a Mac OS X system. This benchmark recommends changes to some of the default settings that make using the computer easier for the home user, but which are not appropriate for the office environment. The benchmark also recommends additional settings which further improve system security. Description This document is a CIS Level I benchmark for Mac OS X 10.4 Tiger. A Level I benchmark is the prudent level of minimum due care with respect to system security.
[edit] 2. Rules
[edit] 2.1. Rule: Start from a fresh installation of Mac OS X
In order to start from a known state and have confidence in the integrity of the system software, it is best to begin configuration from a fresh installation of the operating system. Under ideal circumstances, the computer will remain physically disconnected from the network until it has been fully configured and patched. In this case, software updates from Apple must be downloaded to a separate system, checked for authenticity via their SHA-1 hashes, and written to removable media. The removable media can then be used to update the newly installed system. (Use openssl sha1 file-name to compute the SHA-1 hash of a file.) If, however, disconnected installation is not feasible, the risk of attaching the system to the network and downloading the updates via the Software Update preference pane is relatively small. When installing the system from the distribution, the defaults are acceptable. If, however, there are printer drivers, languages, or fonts that you will not be using, you may deselect them. During the installation process, you will be prompted to create a user name and password for an initial account. This account will be an administrator. Pick a name for the account, and select a good password for it. Regular user accounts will be created later. If you are unable to start from a fresh installation, the benchmark settings will still be useful, but it is possible that the system may have been altered in some not easily detectable way that might leave it vulnerable to unauthorized access or use.
[edit] 2.2. Rule: Check for software updates regularly
Software sometimes contains defects that may make a system subject to unauthorized access. Apple provides software updates to correct these defects. Ideally, software updates should first be tested on a laboratory system before applying them to systems used for real work. However, it is often not easy or possible to find time or resources to do this. Therefore, it is generally worthwhile to go ahead and apply the software updates from Apple, accepting the small risk that the update might cause a problem with the system. The alternative of simply not applying the update, thereby leaving known software defects in place, is probably a greater risk on a general purpose system. At Case these will be set for weekly checks at a minimum, with daily the preferred interval. (NIST SP 800-53 security control: SI-2) Remediation
In the Software Update preference pane, check the "Check for updates" box, and select "Weekly" or "Daily" from the pop-up menu.
[edit] 2.3. Rule: Enable network time synchronization
Accurate time is an important security tool. It enables log file timestamps to be correlated across systems. Certain network authentication protocols, such as Kerberos (which is a component of both Apple's Open Directory and Microsoft's Active Directory), also rely on accurate time. (NIST SP 800-53 security control: AU-8) Remediation
In the Date & Time preference pane, check the "Set date & time automatically" box. Enter either ntp1.case.edu, ntp2.case.edu, or ntp3.case.edu in the text field.
[edit] 2.4. Group: Configure locking screen saver
A locking screen saver can prevent unauthorized access by casual passers-by. The locking screen saver is like the lock on a car door: it deters casual mischief and attacks of opportunity. (NIST SP 800-53 security control: AC-11)
[edit] 2.4.1. Rule: Require a password to unlock the screen saver
Remediation
In the Security preference pane, check the "Require password to wake this computer from sleep or screen saver" checkbox.
[edit] 2.4.2. Rule: Set the screen saver to appear after a period of inactivity
Remediation
In the Desktop & Screen Saver preference pane, set the screen saver to start after 15 minutes of inactivity. Also set a hot corner so that the screen saver can be activated on demand.
[edit] 2.4.3 Rule: Configure Keychain Access to show its status in the menu bar
Remediation
Run the Keychain Access application (found in /Applications/Utilities), choose "Preferences" from the application menu, and, in the "General" tab, check the box labeled "Show Status in Menu Bar." This provides a drop-down menu in the menu bar, one of whose choices is to immediately lock the screen. This can be used when you do not want to wait even the three- minute-minimum inactivity timeout imposed by the Screen Saver preference pane.
[edit] 2.5. Rule: Disable automatic login
To make the use of the computer easier for consumer users, the default installation of Mac OS X automatically logs the user into the system upon reboot. Disable this feature so that unauthorized access to the computer cannot be gained simply by power-cycling the computer. (NIST SP 800-53 security control: AC-3) Remediation
In the Security preference pane, check the "Disable automatic login" checkbox.
[edit] 2.6. Rule: Normal use should be as a regular user, not an administrator
It is generally preferable to use a non-administrator account for day-to-day work. The system will typically prompt for an administrator user name and password when additional privilege is required to perform a particular operation, so it's rarely necessary to to log in as an administrator. Should trickery or software defects result in the execution of some sort of malware, damage will be limited only to areas over which the normal user account has control. If the logged in account were an administrator, the malware could write to files in /Applications/ and other locations that are writable by the admin group. It may also be easier to obtain root privileges from an administrator account. (NIST SP 800-53 security control: AC-6) Remediation
In the Accounts preference pane, create an additional account, and be sure that the "Allow user to administer this computer" is cleared. Do not enter a password hint. Log in using this account, and use the administrator account name and password only as required. This is also a good time to verify that there are no extraneous accounts present, especially if the system being configured was not loaded with a fresh installation of Mac OS X.
[edit] 2.7. Rule: Display login banner
Case requires that a message be displayed to users before they log in. The login window can display such a banner. If remote access via ssh is enabled, it shall be configured to display a banner as well.
Remediation
To make the login window display a [login banner], run the following command as an administrator user (all on one line): sudo defaults write /Library/Preferences/com.apple.loginwindow LoginwindowText 'your banner text here' This can also be achieved using the plist editor that comes with the XCode development tools. The plist editor needs to be run with sudo/root privileges (in a command window, use sudo ./PlistEdit will launch it) Note that sometimes the line editor won't take the whole Case Login Banner, so use the tool ["Skeleton Key"]to run the plist editor as a 'root' user, which will permit you to add and edit the login banner.
To make sshd display a pre-login message, first create a file called (for example) /etc/banner, and put the [login banner] text in it. Then, edit /etc/sshd_config and find the line that says "#Banner /some/path". Right below that line, add a new line that reads "Banner /etc/banner
This is the text of the Case Login Banner
Warning! This is a private system. Unauthorized access to or use of this system is strictly prohibited. By continuing, you acknowledge your awareness of and concurrence with the Acceptable Use Policy of Case Western Reserve University. Unauthorized users may be subject to criminal prosecution under the law and are subject to disciplinary action under University policies.
[edit] 2.7.1 Rule: Configure Login Window
Your login window should be as simple as possible. It is best if your personal mac does not present all of the user names for logging in. Configure the login window to have blank user name and password fields.
Remediation
To configure the login window, in the Accounts preference pane, select 'Login Options'. Under 'Display login window as:' select 'Name and Password'.
[edit] 2.8. Rule: Leave unused services disabled
Services are managed from the Sharing preference panel. By default, all services on Mac OS X are off. Enable only the services necessary. The remote login service, which turns on ssh, is probably the most commonly enabled and useful service. The FTP service is not to be used at Case, since it transmits passwords over the network in clear text. The services in the Sharing preference panel all relate to sharing information on the local computer with remote users. You do not need to enable any of the services in order to access files stored on remote systems. For example, it is not necessary to enable Windows file sharing to access files stored on a Windows server. (NIST SP 800-53 security control: AC-11) Remediation
In the Sharing preference pane, click on the "Services" tab and ensure that unused services are turned off. If there is any doubt, leave all services disabled (unchecked).
[edit] 2.9. Rule: Enable firewall, settings
The built-in firewall is managed from the Firewall tab of the Sharing preference panel. By default, the firewall blocks all inbound TCP traffic not initiated from the system. It does not block outbound traffic, nor does it block any UDP traffic unless the advanced settings are enables. When services are enabled from the Sharing preference panel, rules are added to the firewall to allow access to those services. (NIST SP 800-53 security control: AC-11) Remediation
In the Sharing preference pane, click on the "Firewall" tab and click the "Start" button to enable the firewall. In that same "Firewall" tab, click the "Advanced" button. Select the checkboxes for all three variations: Block UDP Traffic, Enable Firewall Logging, and Enable Stealth Mode.
2.10. Rule: Enable remote logging If your department has a central log host, direct log messages to it. This applies to the departmental level, as the University does not yet support a central log server for anything other than infrastructure services. Remediation
Add the following line to /etc/syslog.conf (where your.log.host is the name of your central log server).
- @your.log.host
[edit] 2.11. Rule: Use strong passwords
Use a strong password on your local account. Apple provides a tool called the password assistant to help with selecting a strong password. This account password is very important; it should be used only for your Mac OS X account. Don't use it for a web site password, or for any other purpose. Never type the password in on a computer that you do not control (e.g., from a kiosk or a computer in an internet cafe). Remediation
Open the Accounts preference panel and click on the password tab. Click the "Change Password..." button, and click on the small picture of the key to the right of the "New Password" field to bring up the password assistant. You can have the assistant suggest a password for you, or come up with one yourself. When the password quality bar turns green, your password is strong.
[edit] 2.12. Rule: Find world-writable files
Software installers are generally bad about leaving files and directories world-writable. Use the command
find /Applications /Library \( -type d -or -type f \) -perm +0002 -print
to get a list of world-writable directories and files in the usual suspect locations. Correct the permissions with
chmod o-w
at the very least by piping the output of the above command into
xargs chmod o-w.
[edit] 2.13. Group: Encrypt home directory and swap files
Encrypting swap files and user home directories will maintain the confidentiality of the data stored on the computer, even if the computer is lost or stolen. This is required for any Case staff that manage sensitive information on a pilferable (e.g. laptop)
[edit] 2.13.1. Rule: Configure FileVault
FileVault transparently encrypts users' home directories. It must be enabled on a per-user basis. If there is a lot of data in the home directory, turning on FileVault will take a long time.
- Warning! If the user forgets his login password, and also loses the master password, his data will be unrecoverable.** If the FileVault passwords cannot be reliably managed, the risk of data loss probably outweighs the security benefits, and FileVault should not be enabled.
Remediation
Open the Security preference panel. To enable FileVault, first set a master password by clicking on the "Set Master Password..." button. The password assistant (click on the "?" button to the right of the Master Password text field) can help with selecting a strong password. Don't enter a password hint. Write down the master password, seal it in an envelope, and store it in a safe or some other secure location. Now turn on FileVault by pressing the "Turn On FileVault" button.
Note: labeling the computer with your master password is a sure way to ensure the disclosure.
[edit] 2.13.2. Rule: Configure secure virtual memory
Enabling secure virtual memory causes the swap files on the disk to be encrypted. It is possible for an attacker to look through the swap files on a stolen disk in search of passwords or other sensitive data; encrypting the swap files prevents this. Remediation
Open the Security preference pane and click the "Use secure virtual memory" checkbox.
[edit] 3. Profiles
[edit] 3.1. Profile: Desktop system settings
Description
Use these settings for desktop Mac OS X systems. Item Selections
Rules and Groups explicitly selected and deselected for this profile. Included: Start from a fresh installation of Mac OS X Included: Check for software updates regularly Included: Enable network time synchronization Included: Configure locking screen saver Included: Disable automatic login Included: Normal use should be as a regular user, not an administrator Included: Display login banner Included: Leave unused services disabled Included: Enable remote logging Included: Use good passwords Included: Find world-writable files
[edit] 3.2. Profile: Notebook system settings
Extends: Desktop system settings Description
Use these additional settings on portable Mac OS X systems. These settings could also be applied to desktop systems at administrator discretion. Item Selections
Rules and Groups explicitly selected and deselected for this profile. Included: Enable firewall Included: Encrypt home directory and swap files
[edit] 4. References
Apple product security web site [link] Apple security updates [link] Apple Mac OS X Common Criteria guide and tools [link]
Case Referrers
Other Sites
- http://start.case.edu/ (12 referral)
- Student Organizations | Undergraduate Student Government (1 referral)