 |
|
|
Mac OS X Server Hardening Checklist
The hardening checklists are based on the comprehensive checklists produced
by CIS. The Information Security Office has
distilled the CIS lists down to the most critical steps for your systems,
with a particular focus on configuration issues that are unique to the computing
environment at The University of Texas at Austin.
How to use the checklist
Print the checklist and check off each item you complete to ensure that
you cover the critical steps for securing your server. The Information
Security Office uses this checklist during risk assessments as part of the
process to verify that servers are secure.
How to read the checklist
Step - The step number in the procedure. If there is a UT
Note for this step, the note # corresponds to the step #.
Check (√) - This is for administrators to check off
when she/he completes this portion.
To Do - Basic instructions on what to do to harden
the respective system
CIS - Reference number in the Center for Internet
Security Mac OS X Benchmark
(PDF, Requires UT EID login.) The CIS document outlines in much greater detail
how to complete each step.
UT Note - The UT Note at the bottom
of the page provides additional detail about the step for the university
computing environment.
Cat I - For systems that include category
I data,
required steps are denoted with the ! symbol. All steps are
recommended.
Cat II/III - For systems that include category
II or III data, all steps are recommended, and some are required (denoted by
the !).
Min Std - This column links to the specific requirement
for the university in the Minimum Security Standards for Systems document.
Server Information
| MAC Address | |
|---|
| IP Address | |
|---|
| Machine Name | |
|---|
| Asset Tag | |
|---|
| Administrator Name | |
|---|
| Date | |
|---|
| Step |
√ |
To Do |
CIS |
UT Note |
Cat I |
Cat II/III |
Min Std |
| Installation and core Mac OS X |
|---|
1 |
|
If machine is a new install, protect it from hostile network traffic until the operating system is installed
and hardened. |
2.1.2 |
§ |
! |
|
5.1 |
2 |
|
Enable Open Firmware Password. |
2.2.1 |
§ |
! |
|
4.1 |
3 |
|
Enable automatic notification of new patches and patch if necessary. |
n/a |
§ |
! |
|
5.3 |
4 |
|
Time synchronization/configure an NTP server. |
2.4.5.1 |
§ |
! |
|
n/a |
5 |
|
Enable logging/process accounting. |
n/a |
§ |
! |
|
6.1 |
6 |
|
Create complex passwords for administrator accounts |
2.1.7 |
§ |
! |
|
5.13 |
7 |
|
Disable core dumps |
2.2.8 |
§ |
|
|
n/a |
| System Services |
|---|
8 |
|
If services are running - ensure the university warning banner is utilized. |
2.2.2, 2.2.3 |
§ |
! |
|
5.10 |
9 |
|
Services, applications, and user accounts that are not being utilized should be disabled or uninstalled. |
2.3, 2.4.14, 2.4.14.14 |
§ |
! |
|
5.4 |
10 |
|
Limit connections to services running on the host to authorized users
of the service (utilize firewall technology). |
2.4.13.9 |
§ |
! |
|
5.5 |
11 |
|
Use an outbound network firewall |
2.6.2 |
§ |
|
|
n/a |
| Account Configuration |
|---|
12 |
|
Create an administrator account and a standard account for each administrator |
2.3.1 |
§ |
|
|
5.14 |
13 |
|
Set a strong password policy |
2.3.8 |
§ |
! |
|
5.13 |
14 |
|
Secure home folders |
2.5.2 |
§ |
! |
|
5.12 |
15 |
|
Securely erase files in the Finder |
2.5.4 |
§ |
|
|
n/a |
16 |
|
Prevent Spotlight from searching confidential folders and backup volumes |
2.4.18.1, 2.4.18.2 |
§ |
|
|
5.12 |
17 |
|
Use secure virtual memory |
2.4.13.5 |
§ |
! |
|
57 |
| Additional Steps |
|---|
18 |
|
Integrity checking of system accounts,
group memberships, and their associated privileges should be enabled
and tested. |
n/a |
§ |
! |
|
5.9 |
19 |
|
Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate. |
2.5.2, 2.5.3 |
§ |
! |
|
5.7 |
20 |
|
Services or applications running on
systems manipulating Category I data should implement secure (that
is, encrypted) communications to ensure Category I data does not traverse
the Internet in clear text. |
n/a |
§ |
! |
|
5.6 |
21 |
|
If the operating system supports it,
integrity checking of critical operating system files should be enabled
and tested. Third-party tools may also be used to implement this. |
n/a |
§ |
! |
|
5.8 |
22 |
|
Install and enable anti-virus software. |
n/a |
§ |
! |
|
3.1 |
23 |
|
Configure to update signature daily
on anti-virus software. |
n/a |
§ |
! |
|
3.3 |
UT Note: Addendum
This list provides specific tasks related to the computing environment at The University of Texas at Austin.
| 1 |
If other alternatives are unavailable, this can be accomplished by
installing a SOHO router/firewall in between the network and the host
to be protected. |
| 2 |
Enable Open Firmware password appropriate for your OS version:
- For Mac OS X 10.1 to 10.3.9, download the Open
Firmware Password Application.
- For Mac OS X 10.4 or later, you
must use the updated version that can be copied from the software
installation disc (located at /Applications/Utilities/ on the disc).
|
| 3 |
Verify software update is set:
- Open System Preferences and click Software Updates.
- Click Check for Updates and set the interval to Weekly or Daily.
- If you have Microsoft Office installed, launch /Applications/Microsoft
AutoUpdate.app, click Automatically and set the interval to Weekly
or Daily.
- If you have other applications that provide security updates, such
as Adobe products configure them to update Weekly or Daily too.
|
| 4 |
ITS Telecommunications and Networking operates two stratum 2 NTPv4 (NTP
version 4) servers for network
time synchronization services for university network administrators. |
| 5 |
Turn on process accounting:
- "mkdir /var/account"
- "touch /var/account/acct"
- "accton /var/account/acct" or reboot
- "chmod o-rx /usr/bin/lastcomm"
- "chmod -R o-rx /var/account"
|
| 6 |
The Information Resources Use and Security Policy (UTS-165), section 18, lists the requirements for passwords. |
| 7 |
Note that this may not be desirable on development machines as it may make troubleshooting application and operating system crashes more difficult.
Run the following command from a Terminal window:
launchctl limit core 0
|
| 8 |
The text of the university's official
warning banner can be found on the ITS Web site. You may add localized
information to the banner as long as the university banner is included.
To add the warning information to the message of the day file, edit
/etc/motd and paste the text from the university’s warning banner
in this file.
To change the banners for GUI login, refer to the CIS document. The procedure
is fully described there. |
| 9 |
The list of available services can be found in System Preferences
under the Services tab of the Sharing icon. Be especially
wary of sharing services; misconfiguring this setting could grant full
access to important files or system resources. Much more detailed
information regarding services is available in the CIS benchmark documents. For
example, SSH/Remote Login is on by default out-of-the-box. Unless it
is being utilized, turn it off in ‘sharing system preferences.’
The freeware application Lingon may also be of use to identify and remove applications
and services that run at startup. Lingon is a graphical interface for editing launchd
configuration files. |
| 10 |
Administrators may find the firewall native to Mac OS X, ipfw, robust
and easily managed.
http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/ipfw.8.html There are several applications, such as WaterRoof, which provide a GUI to ipfw.
Leopard introduced a new application based firewall intended to replace ipfw. This firewall is
simple to configure but has few options and can be trivially bypassed. While the application
firewall should be adequate for most desktop users, servers and workstations with a high
need for security should be configured to use ipfw instead.
You may also want to refer to the list
of Mac OS X network service
ports from Apple KB 106439.
NOTE: OS X Panther has known bugs with its implementation
of ipfw. It is strongly recommended to review the details of the related
bug or use a more recent version of OS X. |
| 11 |
The included firewall, ipfw, can be configured to do this. Additionally, there are commercial
products, namely Little Snitch, that act as outbound application firewalls. |
| 12 |
This section intentionally left blank. |
| 13 |
The Information Resources Use and Security Policy (UTS-165, section 18, lists the
requirements for passwords. If possible, use pwpolicy or a centrally managed password
policy on a Mac OS X Server to enforce these requirements. |
| 14 |
By default, every user is allowed to see into the top level of other home folders so that files
can be placed into the "Drop Box" folders of any user.
To resolve, open a Terminal window and enter:
sudo chmod 700 /Users/<username>
Where <username> is the name of each user. This command has to be run for each user
with a local home folder. |
| 15 |
If files containing sensitive data are frequently deleted from this machine, set finder to
automatically use the secure delete option. (Finder: Preferences: Advanced Empty
Trash Securely)
This command line tool "srm" is also available as an alternative to "rm".
Note that secure deletion of files can take significantly longer than a normal delete
operation. |
| 16 |
Spotlight is a built in service that, by default, indexes every file on any local hard drive and
allows the contents to the indexed files and folders to be searched. While spotlight enforces
access controls to limit access to files, the index itself may contain sensitive information
about the files. The Spotlight System Preference Pane allows a user to exclude volume,
folders, and data types from being indexed.
In System Preferences: Spotlight, Search Results tab turn off any categories that
should not be indexed.
In System Preferences: Spotlight, Privacy tab add any volumes or folders that contain
sensitive data.
Alternatively you can disable spotlight from indexing and search specific volumes
with the following command:
sudo mdutil -E -i off <volumename> |
| 17 |
In System Preferences: Security, General tab, check "Use secure virtual memory."
Alternatively, run the following command
sudo defaults write /Library/Preferences/com.apple.virtualMemory \UseEncryptedSwap -bool yes
A reboot is required for this change to take effect. |
| 18 |
BSD Files
- Check in /groups/admin to see who has admin privileges.
- Check in /etc/passwd
to look for blank passwords.
OpenDirectory
Users
List all users with the nireport utility:
$ nireport . /users uid name home realname shell
Groups
To list all of the groups IDs (GIDs) and group names for the local
domain, use the nireport utility:
$ nireport . /groups gid name
Passwords
- Utilize pwpolicy to set global, or per user, password policies. Using
pwpolicy, one can set expiry date, require alpha or numeric characters,
set max failed login counter, and password length, among others.
- Check the strength of users’ passwords with tools such as John
the Ripper.
- Seek approval from the IT Owner. Consider using a simple dictionary for easily guessed passwords.
- Develop a procedure to report and remediate easily guessed passwords.
|
| 19 |
There are a variety of methods available to accomplish this goal.
Mac OS X comes with FileVault. NOTE:
FileVault works with local home directories only, not home directories
on the server or any other kind of data. Instead, REALLY important
data could be secured by putting on encrypted disk images (which FileVault
does), but it will be neither automatic nor transparent to the
user.
Some other good candidates are PGP (cost),
GNUPG (free), and Truecrypt (free). |
| 20 |
If you decide to use Remote Login (SSH server), the ISO highly
recommends that you change the port from port 22 to something/anything
else. There are scripts online that malicious hackers can use against
SSH servers and the scripts always attack port 22 since most people do
not change the default port.
The ISO also highly recommends that you do not allow root logins via
Remote Login (SSH). |
| 21 |
Available tools include:
|
| 22 |
Download and install Norton AntiVirus from BevoWare (at
no additional cost). |
| 23 |
Documentation can
be found on the ITS Web site. Norton AV AutoProtect may impact a production
OS X server's performance and may not be deemed essential to ensuring
security of the system or the network. In this case, daily or weekly
scheduled scans may be adequate. |
Reference
|
