Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
OS X Businesses Operating Systems Security Apple

Securing Mac OS X 63

LogError writes "This paper addresses operating system hardening in terms of patching, administration roles, and setting passwords. It also provides information on Mac OS X network security: namely, basic firewall configuration and hardening of network services such as FTP, SSH, and Apache."
This discussion has been archived. No new comments can be posted.

Securing Mac OS X

Comments Filter:
  • Good to see... (Score:5, Insightful)

    by Exitthree ( 646294 ) on Wednesday July 21, 2004 @05:58PM (#9764956) Homepage
    While OS X is quite secure by default, it is good to recognize that OS X, like any OS, isn't without vulnerability. The fact that the OS is getting a thorough look-over for security concerns is just one more step in getting it taken seriously. I'm going to have a full of the paper now.
  • by mellon ( 7048 ) * on Wednesday July 21, 2004 @06:03PM (#9765002) Homepage
    ...because they mention antivirus software and do not claim that it will be of any value other than possibly satisfying corporate IS requirements.
  • by Currawong ( 563634 ) <sd@accounts.a[ ].io ['mos' in gap]> on Wednesday July 21, 2004 @07:08PM (#9765466) Homepage Journal
    ....is here [net-security.org]. This for those of you who read the comments before reading the article ;)
  • Securing Mac OS X (Score:3, Interesting)

    by Anonymous Coward on Wednesday July 21, 2004 @08:06PM (#9765856)
    Step 1: Turn on the Mac.
    Step 2: There is no step 2!

    Scoff if you want to, but I've never had to spend a couple hours trying to pry any malware out of my Macs-- but most of my billable time lately has been spent doing just that on clients' Windows boxes.

    When Norton Antivirus, Spybot S&D, Ad-Aware and CoolWebShredder together aren't enough to delouse the average PC and keep it clean, IMHO it's just time to give up on Windows.
    • Re:Securing Mac OS X (Score:4, Informative)

      by dnahelix ( 598670 ) <slashdotispieceofshit@shithome.com> on Thursday July 22, 2004 @12:08AM (#9767182)
      My poor neighbors just got a PC (booo) with XP and, upon my suggestion, got Comcast broadband.

      Less than 48 hours after being hooked to the internet, they're calling me over because some anti-virus app had detected spy ware and some other thing and was going to need a couple of hours to scan the hard drive.
      Needless to say, these newbies were panicing big time.
      They asked how I dealt with viruses and the like and I said, "Remember, I said I use Macs." The wife says, "ooooh, you don't get viruses on your macs?" Then looks at her husband and says "Why didn't we get a Mac?"
      The next day they had some PC tech company people there to fix it! (and the bastards parked in MY driveway)
    • After reading that, this picture [penny-arcade.com] comes to mind.
  • by slughead ( 592713 ) on Wednesday July 21, 2004 @08:06PM (#9765862) Homepage Journal
    1. Put on oversized trench-coat
    2. walk into the apple store
    3. Insert Mac OS X into trench-coat
    4. Walk calmly to your car
    5. Drive home
  • 1. Delete OSX
    2. Install OpenBSD/macppc [openbsd.org]

    Next on Neill's Slashdot Comments: How to secure Linux.

  • by valmont ( 3573 ) on Thursday July 22, 2004 @03:19AM (#9767843) Homepage Journal
    ... can be found in this blog entry [blogspot.com]. ... I'll try and link to higher-modded comments to his post in comments on my blog. I think the more people cross-pollinate ideas about end-user operating system security, the better-off we could all be :)
  • by tbmaddux ( 145207 ) * on Thursday July 22, 2004 @10:18AM (#9769801) Homepage Journal
    The article gives a brief overview of SSH, explains AllowUsers, tunnelling, and recommmends disabling SSHv1. However, it misses other details. The most important is disabling root login (which is allowed by default) with: PermitRootLogin no and it would also have been nice to see them suggest changing the Ciphers list from the default, choosing SHA1 MACs, and giving a rundown of public-key-based authentication rather than merely sending readers onward to the OpenSSH website.
  • I can go home now... (Score:5, Informative)

    by dave at hostwerks ( 466530 ) on Thursday July 22, 2004 @11:58AM (#9770983) Homepage
    I've learned my one thing for the day: an admin can control who can and who cannot execute the sudo command.

    "Sudo
    Since the root user is disabled, it is not possible to use the su command to obtain root privileges; instead, OS X makes use of the sudo program. By default Panther allows all administrative users access to the sudo command and it allows these users to run any program with sudo. In some circumstances, this may contravene system usage policies. In these cases, it is possible to disallow sudo access to the administrator group and instead, enable it on a per user basis.

    From the terminal, edit the /etc/sudoers file by typing: sudo visudo Insert a hash (#) character, in front of the line
    %admin ALL=(ALL) ALL

    To allow only the user 'bob' access to sudo add the line:
    bob ALL = (ALL) ALL

    Make sure that at least one user has permissions to run sudo before saving the file! Access controls within the sudoers file can be specified minutely, for example, it is possible to grant the user james access to the file /usr/bin/kill, but only with the privileges of user tim. See the sudoers man page for more details on tightening access controls through sudo."

    Who'da thunk?
    • insults If set, sudo will insult users when they enter an incorrect
      password. This flag is off by default.

      That's really funny, in a "who the hell thought that would be a good idea?" sort of way...

      Most people just copy and paste the
      [user list] ALL=(ALL) ALL form, without considering what limits can be imposed. Really, that's
      [user list] [host list]=([run-as-user list]) [command list]

    • Be sure that users you restrict to certain commands and arguments (ie, bob gets passwd with sudo, but only for users != root, superadmin, etc) can not also run 'su'.

      Doing
      sudo su
      will dump you into a root shell bypassing sudo command restrictions, and also bypassing sudo logging (though it will still log that you executed su)
  • by jellyfish_green ( 605870 ) on Friday July 23, 2004 @03:50AM (#9777603)
    A new user entering the internet is like your first time using the communal prison showers.

    Those with previous experience (Custom Linux installation) will know there's security options and will pick, for example, "buttcheeks=open" or "buttcheeks=closed" depending on what they plan to do.

    The new users won't know there's an option until it's pointed out to them some time in the future.

    MacOSX follows "recommended best practice" and starts you off with buttcheeks=closed, and if that ever becomes a problem, hopefully you'll look into it yourself and figure out which option needs changing to enhance your experience.

    Windows apparently starts with buttcheeks=open, because they don't want to deny their users the full internet experience. Or something.

"How to make a million dollars: First, get a million dollars." -- Steve Martin

Working...