Authors: Adam Gray cism

Unix Infrastructure 4

Security Framework 4

Types of User Accounts and Account Philosophy 5

Securing Administrator Accounts 6

Groups 8

Securing Non-administrator Accounts 8

Securing the System Administrator Account 10

Software Installation 12

Appearance 12

Desktop & Screen Saver 12

Security 13

Sandbox 13

Spotlight 14

CDs & DVDs 14

Energy Saver 14

Print & Fax 14

Network 15

Wireless Networking 15

Bluetooth 16

QuickTime 16

Sharing 17

Accounts 17

Date & Time 18

Software Update 18

Speech 18

Universal Access 18

Locking and Unlocking System Preferences 18

Securing the System and the Data 20

Open Firmware and EFI Password 20

File Permissions 21

File ACLs 22

Encrypting Home Folders 23

Keychain Services 24

System Integrity 26

Auditing and Logs 26

Host Based Intrusion Detection 27

File Checksum generation and Comparison 28

Network Intrusion Detection 28

Bastille 28

Services Access 30

Network Services 31

Password Maintenance 37

Safe Password Storage 37

This document can be used as an audit reference, or as a system hardening document for Apple’s OS X operating system. This document is limited to versions 10.5.* of OS X. Security is complex and constantly changing. In addition to this checklist, consult any Apple Documentation and other sources for securing OS X that may help cover gaps in this document. See the Reference Section of this document for a list of additional resources.

You should also monitor mailing lists and forums pertaining to OS X security. Security organizations like Secunia.com and sans.org have mailing lists that include vulnerabilities and other security bulletins for OS X.
You’ll notice some of the text is in a different format. The format is:

• 
  Perform this action
  

The purpose of this document is to be a checklist; however, explanations of recommended actions are included for clarity.

This document provides steps you can take to harden your OS X system, but should not be considered a “silver bullet” protecting you from all security issues. A unique aspect of the Apple user is that they're quite likely to run third party services (such as Rumpus, FileMaker Server, CommuniGate Pro, Now Up-to-Date Server and Now Contact Server, Kerio, etc) that invoke a listener. The reader will need to consult product vendor resources to determine the most secure implementation of these products.

OS X Security Architecture
This part of the document will be light on “checklist” activities. Instead, we'll just briefly describe some of the security related features of the architecture.

Unix Infrastructure

OS X is a hybrid of the Mach kernel and FreeBSD. The Mach kernel-BSD combination came from NEXTSTEP and the NeXT computer that Steve Jobs unveiled in the late 1980s. The kernel tends to be what sets each OS apart from one another. For example, GNU/Linux is commonly referred to as just Linux, even though Linux is just one piece of the GNU/Linux OS. It’s an important piece, but not useful without the GNU pieces. In this regard Mac OS X is very similar. It has a non BSD kernel with BSD userspace and support tools. BSD is what provides the model for much of the security we'll be covering in this checklist.
As of Mac OS X 10.5, Apple has attained UNIX 03 Certification.

Security Framework

Apple used Open Source Software (OSS) when creating Mac OS X. Several projects were leveraged to make up Mac OS X, including the Apache web server, MIT Kerberos, Samba, SpamAssassin and the Common UNIX Printing System (CUPS)..

Apple's stance on open source is simple and is becoming more mainstream in the IT industry, with SUN, Novell and others embracing the open source model in some form. Open source allows public scrutiny of application code, and therefore more secure applications. The open source community also has an established reputation for a short turn around time for developing security related patches and fixes, which Apple typically incorporates into Mac OS X fairly quickly. This helps keep Mac OS X secure, and provides for timely patching of bugs that arise from the open source packages deployed within Mac OS X itself.
Apple has designed their security around the Common Data Security Architecture (CDSA) model, developed by Intel. CDSA is a set of layered security services and a cryptographic framework that provide an interoperable, cross-platform infrastructure for creating security-enabled applications for client-server environments. CDSA covers the essential components of security capability to equip applications with security services that provide cryptography, certificate management, trust policy management, and key recovery.
CDSA defines a horizontal, four-layer architecture:
1. Applications such as Mail, Safari, iChat, Disk Utility, Keychain Access and other applications developed by Apple.

2. Layered services and middleware including the APIs used by the Applications listed above. An application programming interface (API) is a set of definitions of the ways one piece of computer software communicates with another. It is a method of achieving abstraction, usually (but not necessarily) between lower-level and higher-level software. These APIs include interfaces for Keychains, File Signing, SSL and Certificate Management.

3. Common Security Services Manager (CSSM) infrastructure Common Security Services Manager (CSSM) Cryptographic Services Manager. The CSSM has functions to create and verify digital signatures, generate cryptographic keys, and create cryptographic hashes.

4. Security Service Provider Modules, also known as Add-in Modules are third party and non-application items built using the APIs in the second layer of the CDSA. This allows for extensibility to the framework.

The CDSA is an open source framework, allowing it to closely parallel many of Apple’s other initiatives for security and development and receive peer review from a larger audience than just Apple users. CDSA allows Apple and the community of third-party developers to architect software in a secure manner while still supporting the networkable features required for the modern applications of today and tomorrow. For more information on the CDSA model see the Intel CDSA site at http://www.intel.com/ial/security.