Securing Mac OS X 63
LogError writes "This paper addresses operating system hardening in terms of patching, administration roles, and setting passwords. It also provides information on Mac OS X network security: namely, basic firewall configuration and hardening of network services such as FTP, SSH, and Apache."
Good to see... (Score:5, Insightful)
Re:Good to see... (Score:5, Funny)
Re:Good to see... (Score:3, Funny)
But not, in standard slashdot fashion, before posting a comment here.
They score some points with me on a first skim... (Score:5, Interesting)
Re:They score some points with me on a first skim. (Score:5, Interesting)
Right now -- Today, anti-virus software for Mac OS X is worthless. There are no viruses to check for on OS X for it to protect against. IF or when a virus or a worm comes out for OS X then anti-virus software will have a use. Until then, you are just wasting money.
Just like anti-virus software for Linux, it is the modern day snake oil.
Re:They score some points with me on a first skim. (Score:5, Insightful)
Not quite true, particularly in a corporate setting. Let me state first off that I run OS X and don't have any anti-virus software, but I can see a use for it.
Chances are that the email you're sending is getting read on a Windows box. If you're forwarding along a mail containing an attachment, you might be unwittingly forwarding a Windows virus which is totally harmless to you, but not so to your recipient. I had one the other day - README.CPL. Mac users don't need to care that that's a Windows control panel, and might not even know. Your virus checker might not prevent you from catching non-existent viruses, but it will help you be nicer to the Windows-using world by catching anything you're sending out. Can also help with macro viruses I imagine, though I don't have MS Office on my machine so I can't be certain of that.
Cheers,
Ian
Windows box (Score:4, Insightful)
Not forwarding attachments that you don't recognise/need is common sense - why would you possibly forward an email like that??? So I think the grand-parent's point stands - until there is a virus in the wild for OS X, installing anti-virus software is not going to help anyone.
The only possible use I can see is to scan for word macro viruses which you might pass on to windows users, however there is another solution to that problem. Also, if they have anti-virus software (which they should have) it should pick that up.
Re:Windows box (Score:1)
I'm sure anti-virus software will be necessary on mac desktops someday soon, but until there is at least *one* virus in the wild it seems a bit pointless to have it running. On PC desktops r
A virus for YOUR platform is YOUR problem! (Score:1, Insightful)
They should be running their own damned antivirus software so any file that I pass them gets checked/disinfected on their end.
If Windows users wan
Re:They score some points with me on a first skim. (Score:2, Interesting)
what makes you think that anit-virus software written for OS X will even be able to detect a windows virus lying dormant in a file. The code wont even execute on the processor. the anti-virus software is not going to have deffinitions for viruses that dont exist on the platform that the software was designed for.
Re:They score some points with me on a first skim. (Score:2)
Yes, they do have definitions for other platforms. Doesn't matter in the slightest what processor the virus was meant for, virus scanners don't check things are viruses by running the code, they do it by pattern recognition.
I have Clam anti-virus software running on a Linux server. It's happily catching Windows viruses all d
Re:They score some points with me on a first skim. (Score:2)
That isn't true, I don't think. Virex on the Mac recognizes Windows virii signatures.
Re:They score some points with me on a first skim. (Score:2)
I never would have thought that anti-virus software would bother with viruses that dont effect the client machine. I do wonder how they can be sure that the patterns they are matching to dont have a legitimate use on the platform (like say, a datafile) and only happen to have the same binary values in the right places to also be a windows virus.
still... not much
Re:They score some points with me on a first skim. (Score:2)
False positives are problems with all pattern matching systems, but it doesn't seem to come up that often. The anti-virus vendors seem to do a pretty good job of finding unique strings to match on.
It is possible for anti-virus software to detect unknown viruses by monitoring for suspicious activity. Several
false positives do happen (Score:2)
Whether it's based on magic number-like signatures, or something like md5 hashes, or whatever, any way of recognizing a file, based on less than the full file for comparison, will always lose some information.
Note that this wa
Re:They score some points with me on a first skim. (Score:4, Funny)
"Dear Bob,
I received this attachment from a nice Nigerian man - he suggested I open it and put my credit card numbers in to the box that appears to register it. However, being a Mac user, I can't open it. Would you please do so, and put your credit card numbers in?
Thanks!"
Seriously? How many people forward emails with attachments that they can't open?
Re:They score some points with me on a first skim. (Score:2)
Email anti-virus needs to be done by the server to be reliable. That way it doesn't matter who or where the infected message came from, if it has a virus it gets quarantined on the server, no bounce messages, just quarantined.
If someone was expecting something and it doesn't get through, you will hear about it and you can look into it to find that it has a virus and the sender needs to clean up their m
Re:They score some points with me on a first skim. (Score:5, Informative)
Re:They score some points with me on a first skim. (Score:3, Funny)
there is nothing healthy about having a collection of pre-G3 Macs..
not that I dont have one too... but its certainly not healthy.
Not to mention MS Office viruses... (Score:1)
Incidentally, I posted this information some time back, and my post was branded "flamebait". Go figure...
Re:They score some points with me on a first skim. (Score:3, Insightful)
Direct link to the PDF.... (Score:4, Informative)
Re:Direct link to the PDF.... (Score:1)
Securing Mac OS X (Score:3, Interesting)
Step 2: There is no step 2!
Scoff if you want to, but I've never had to spend a couple hours trying to pry any malware out of my Macs-- but most of my billable time lately has been spent doing just that on clients' Windows boxes.
When Norton Antivirus, Spybot S&D, Ad-Aware and CoolWebShredder together aren't enough to delouse the average PC and keep it clean, IMHO it's just time to give up on Windows.
Re:Securing Mac OS X (Score:4, Informative)
Less than 48 hours after being hooked to the internet, they're calling me over because some anti-virus app had detected spy ware and some other thing and was going to need a couple of hours to scan the hard drive.
Needless to say, these newbies were panicing big time.
They asked how I dealt with viruses and the like and I said, "Remember, I said I use Macs." The wife says, "ooooh, you don't get viruses on your macs?" Then looks at her husband and says "Why didn't we get a Mac?"
The next day they had some PC tech company people there to fix it! (and the bastards parked in MY driveway)
Re:Securing Mac OS X (Score:1)
Securing Mac OS X (Score:5, Funny)
2. walk into the apple store
3. Insert Mac OS X into trench-coat
4. Walk calmly to your car
5. Drive home
Re:Securing Mac OS X (Score:3, Funny)
6. ???
7. Profit!!!
Re:Securing Mac OS X (Score:1, Funny)
2. walk into the apple store
3. Insert Mac OS X into trench-coat
4. Walk calmly to your car
5. Drive home
Otherwise known as the "Sandy Berger" technique.
Re:Securing Mac OS X (Score:2, Funny)
2. walk into the apple store
3. Insert Mac OS X into trench-coat
4. Walk calmly to your car
5. Drive home
Otherwise known as the "Sandy Berger" technique.
Actually you'd have to change 'trench-coat' to 'underpants'
Why was the parent marked troll? I thought it was funny.
Obviously some thin-skinned democrats running around
Re:Securing Mac OS X (Score:1)
Re:Securing Mac OS X (Score:3, Funny)
Problem solved (Score:2, Funny)
2. Install OpenBSD/macppc [openbsd.org]
Next on Neill's Slashdot Comments: How to secure Linux.
secure any machine. (Score:4, Funny)
Re:secure any machine. (Score:5, Funny)
Re:Problem solved (Score:1)
Re:Problem solved (Score:1)
a couple of thoughts on this paper ... (Score:3, Informative)
Missing: Important sshd_config changes (Score:4, Informative)
Re:Missing: Important sshd_config changes (Score:3, Informative)
Re:Missing: Important sshd_config changes (Score:3, Interesting)
Re:Secure your ... (Score:5, Insightful)
This alone isn't enough. You need physical security, too. If I can get physical access to the machine, I can walk out of the room with the whole thing, or just it's hard drive, or even just an image of it's hard drive, and start working on it.
The only truly secure computer is encased in concrete and sitting at the bottom of the Pacific Ocean, two thousand miles south of Honolulu.
Re:Secure your ... (Score:2)
Re:Secure your ... (Score:3, Funny)
I can go home now... (Score:5, Informative)
"Sudo
Since the root user is disabled, it is not possible to use the su command to obtain root privileges; instead, OS X makes use of the sudo program. By default Panther allows all administrative users access to the sudo command and it allows these users to run any program with sudo. In some circumstances, this may contravene system usage policies. In these cases, it is possible to disallow sudo access to the administrator group and instead, enable it on a per user basis.
From the terminal, edit the
%admin ALL=(ALL) ALL
To allow only the user 'bob' access to sudo add the line:
bob ALL = (ALL) ALL
Make sure that at least one user has permissions to run sudo before saving the file! Access controls within the sudoers file can be specified minutely, for example, it is possible to grant the user james access to the file
Who'da thunk?
I'd never read that manpage through (Score:3, Informative)
That's really funny, in a "who the hell thought that would be a good idea?" sort of way...
Most people just copy and paste the
[user list] ALL=(ALL) ALL form, without considering what limits can be imposed. Really, that's
[user list] [host list]=([run-as-user list]) [command list]
Re:I can go home now... (Score:2)
Doing will dump you into a root shell bypassing sudo command restrictions, and also bypassing sudo logging (though it will still log that you executed su)
Prison showers, Apple flowers (Score:4, Funny)
Those with previous experience (Custom Linux installation) will know there's security options and will pick, for example, "buttcheeks=open" or "buttcheeks=closed" depending on what they plan to do.
The new users won't know there's an option until it's pointed out to them some time in the future.
MacOSX follows "recommended best practice" and starts you off with buttcheeks=closed, and if that ever becomes a problem, hopefully you'll look into it yourself and figure out which option needs changing to enhance your experience.
Windows apparently starts with buttcheeks=open, because they don't want to deny their users the full internet experience. Or something.