The Information Assurance Mission at NSA - Hardening Tips for Mac OS X 10.6 "Snow Leopard"
1 like1,544 views
The document provides high-level security hardening tips for Mac OS X 10.6 "Snow Leopard" focused on administrative users. It recommends disabling unnecessary services, configuring firewalls and account settings securely, applying system updates regularly, and removing integrated cameras/microphones if possible. Key areas covered include disabling guest access, configuring FileVault full-disk encryption, restricting privileged programs, and disabling Bonjour and unnecessary networking services. The tips are intended to help administrative users securely configure and harden their Snow Leopard systems.
The Information Assurance Mission at NSA - Hardening Tips for Mac OS X 10.6 "Snow Leopard"
- 1. The following trifold contains, in order of importance, high- • Require password "5 seconds" after sleep or screen saver Filename: Needed for: impact tips designed for use by an administrative user of Mac begins com.apple.blued.plist Bluetooth OS X 10.6 Snow Leopard. • Disable automatic login com.apple.IIDCAssistant.plist iSight Apple's official Snow Leopard Security Guide can be found at • Use secure virtual memory com.apple.nis.ypbind.plist NIS http://www.apple.com/support/security/guides/ • Disable Location Services (if present) com.apple.racoon.plist VPN Important: System updates may override many of these • Disable remote control infrared receiver (if present) com.apple.RemoteDesktop.PrivilegeProxy.plist ARD configuration changes. Achieve their persistence through In the FileVault tab, read the warnings and consider activating com.apple.RFBEventHelper.plist ARD vigilant re-application or management software. FileVault. Consult the Apple Snow Leopard Security Guide com.apple.UserNotificationCenter.plist User notifications for more information. FileVault is recommended for portable com.apple.webdavfs_load_kext.plist WebDAV Don't Surf or Read Mail Using Admin Account systems since it can protect data even if the system is stolen. org.postfix.master email server Create a non-administrator user in the Accounts pane of System In the Firewall tab, click "Start" to turn firewall on. Next, click Preferences and use this account for everyday tasks. Only log on "Advanced..." and enable "Block all incoming connections." The following services can be found in /System/Library/ in with an administrator account when you need to perform LaunchAgents. Disable them in the same way. system administration tasks. Secure Users' Home Folder Permissions Filename: Needed for: com.apple.RemoteUI.plist Remote Control Use Software Update To prevent users and guests from perusing other users' home com.apple.RemoteDesktop.plist ARD folders, run the following command for each home folder: Regularly applying system updates is extremely important. sudo chmod go-rx /Users/username For Internet-connected systems: Open the Software Update Disable Setuid and Setgid Binaries pane in System Preferences. Ensure that "Check for Updates" Firmware Password Setuid programs run with the privileges of the file's owner is enabled, and set it to "Daily" (or the most frequent setting Set a firmware password that will prevent unauthorized users (which is often root), no matter which user executes them. possible in your environment). There is a command line from changing the boot device or making other changes. Bugs in these programs can allow privilege escalation attacks. version available as well, called softwareupdate. Read its To find setuid and setgid programs, use the commands: man page for more details. Apple provides detailed instructions for Leopard (which apply to Snow Leopard) here: http://support.apple.com/kb/ht1352 find / -perm -04000 -ls For systems not connected to the Internet: Retrieve updates find / -perm -02000 -ls regularly from www.apple.com/support/downloads. Be sure Disable IPv6 and AirPort when Not Needed to verify that the SHA-1 digest of any download matches the After identifying setuid and setgid binaries, disable setuid and digest published there, using the following command: Open the Network pane in System Preferences. For every setgid bits (using chmod ug-s programname) on those that network interface listed: are not needed for system or mission operations. /usr/bin/openssl sha1 download.dmg • If it is an AirPort interface but AirPort is not required, The following files should have their setuid or setgid bits Account Settings click "Turn AirPort off." disabled unless required. The programs can always have their • Click "Advanced." Click on the TCP/IP tab and set setuid or setgid bits re-enabled later if necessary. Open the Accounts pane in System Preferences. "Configure IPv6:" to "Off" if not needed. If it is an AirPort interface, click on the AirPort tab and enable For more information see Apple's Snow Leopard Security Guide Disable Automatic Login and User List: Click on "Login chapter 7. Options." Set "Automatic login" to "Off." Set "Display login "Disconnect when logging out." Filename: Needed For: window as" to "Name and password." Disable Unnecessary Services /System/Library/CoreServices/ RemoteManagement/ARDAgent.app/Contents/ Apple Remote Desktop Disable guest account and sharing: Select the Guest Account MacOS/ARDAgent and then disable it by unchecking "Allow Guest to log in to The following services can be found in /System/Library/ /System/Library/Printers/IOMs/LPRIOM. Printing this computer." Uncheck "Allow guests to connect to shared LaunchDaemons. Unless needed for the purpose shown in the plugin/Contents/MacOS/LPRIOMHelper folders." second column, disable each service using the command below, /sbin/mount_nfs NFS which needs the full path specified: /usr/bin/at Job Scheduler Security Pane Settings sudo launchctl unload -w /System/Library/ /usr/bin/atq Job Scheduler Open the Security pane in System Preferences. LaunchDaemons/com.apple.blued.plist /usr/bin/atrm Job Scheduler /usr/bin/chpass Change user info In the General tab, ensure that the following are checked: /usr/bin/crontab Job Scheduler
- 2. /usr/bin/ipcs IPC statistics from /System/Library/Extensions: The Information /usr/bin/newgrp Change Group IO80211Family.kext Assurance Mission at NSA /usr/bin/postdrop Postfix Mail /usr/bin/postqueue Postfix Mail See the note below for information about removing kext files. /usr/bin/procmail Mail Processor /usr/bin/wall User Messaging Disable Integrated iSight and Sound Input /usr/bin/write User Messaging Hardening Tips The best way to disable an integrated iSight camera is to have /bin/rcp Remote Access (Insecure) an Apple-certified technician remove it. Placing opaque tape /usr/bin/rlogin over the camera is less secure but still helpful. A less persistent /usr/bin/rsh but still helpful method is to remove /System/Library/ /usr/lib/sa/sadc System Activity Reporting Quicktime/QuicktimeUSBVDCDigitizer.component, for /usr/sbin/scselect User-selectable which will prevent some programs from accessing the camera. Mac OS X Network Location To mute the internal microphone, open the Sound preference /usr/sbin/traceroute Trace Network /usr/sbin/traceroute6 Trace Network pane, select the Input tab, and set the microphone input volume level to zero. To disable the microphone, although it disables Configure and Use Both Firewalls the use of the sound system, remove the following file from /System/Library/Extensions: 10.6 The system includes two firewalls: the ipfw packet-filtering IOAudioFamily.kext firewall, and the new Application Firewall. The Application Firewall limits which programs are allowed to receive incoming Note on removing kext files: To make the system reflect the removal of kext files, run the following command and reboot: "Snow Leopard" connections, and it should be configured as described in the earlier section Security Pane Settings. sudo touch /System/Library/Extensions Configuring the ipfw firewall configuration requires more technical expertise and cannot be fully described here. It Safari Preferences requires creating a file with manually written rules (traditionally, Safari will automatically open some files by default. This /etc/ipfw.conf), and also adding a plist file to /Library/ behavior could be leveraged to perform attacks. To disable, LaunchDaemons to make the system read those rules at boot. uncheck "Open safe files after downloading" in the General tab. These rules depend heavily on the network environment and the system's role in it. To learn more about ipfw rules, see: Unless specifically required, Safari's Java should be disabled to reduce the browser's attack surface. On the Security tab, • the ipfw man page uncheck "Enable Java." • Apple's Snow Leopard Security Guide • http://www.freebsd.org/doc/en/books/handbook/ Au Revoir, Bonjour! Bonjour is Apple's implementation of Zeroconf which provides Disable Bluetooth and AirPort Devices a network service discovery protocol. Using Bonjour, many The best way to disable Bluetooth hardware is to have an Apple- programs advertise their services on the local network to certified technician remove it. If this is not possible, disable facilitate configuration. While this may be beneficial in some it at the software level by removing the following files from cases, from the security perspective this makes the computer /System/Library/Extensions: unnecessarily visible and generates unwanted network traffic. IOBluetoothFamily.kext Disable Bonjour's multicast advertisements with the following Systems and Network Analysis Center IOBluetoothHIDDriver.kext command and reboot: National Security Agency sudo defaults write /System/Library/ 9800 Savage Road The best way to disable AirPort is to have the AirPort card LaunchDaemons/com.apple.mDNSResponder Ft. Meade, MD 20755 physically removed from the system. If this is not possible, ProgramArguments -array-add http://www.nsa.gov/snac disable it at the software level by removing the following file "-NoMulticastAdvertisements" 1.0, March 2010