Mac OS X Lab Security on Campus

By: James Reynolds - Revised: 2014-01-23 richard

Download Slides – PDF-File, 1.1 MB
Download Handout – PDF-File, 1.1 MB

Introduction

This presentation discusses Mac OS X lab physical security, boot security, how to handle published exploits, passwords, world write permissions, SUID applications, how to securely modify the system, what to do with applications that stay open after logout, how to protect services that you might enable, and how to monitor your labs to ensure that they stay secure.


Webcasts/Presentations

On 6-17-03, James Reynolds presented this material on a webcast for Mac OS X Labs.
View Webcast (link dead)
Download Webcast Slides – PDF-File, 166.9 KB
Webcast Q&A (link dead)

On 5-1-03, James Reynolds presented this material at the "Integrating Mac OS X on Campus" presentation held at the University of Utah.
See top of page for links to presentation, slides, and handout.

Updates to this page

This page is now in a somewhat finished state. However, as time permits, more information will be added. Basically, as the Student Computing Labs Mac Group implements each part, we will document it and add it to this page. Areas that we intend to add more information has the text "More info coming".

Physical Security

Physical security is ensuring that hardware is not tampered with or stolen. By tampering with hardware, it is easy to bypass any software security. Stealing hardware is a security risk because it allows a hacker to examine your hard disk, crack passwords, and generally see what you have there. For example, you may have a script that contains a clear text password. Stolen hardware just plain sucks too. Let's prevent it.

iMac Locks
The flat panel iMac has a bottom panel that can easily be opened. If you have iMacs, you either want to get special screws, or you should look at one of these products:
If you are using security screws, you want to use a script that verifies your open firmware password. See below.

Security Cameras
Scare away hackers with cameras. Be sure to archive all images so that you can convict hackers. Here are 2 vendors that make good cameras.
Alarms
Tamper/theft Detection
  • InterMapper
    InterMapper will keep track of your computers. If one of them goes off, InterMapper can email or page you.
  • Use curl and a webserver to track stolen hardware. This simple perl script will try to download a file that is named "<serial number>.html" from a webserver, but only if the computer has network access. Run it every hour or once a day with cron. Be sure to configure the webserver to log IP's.

#!/usr/bin/perl

sleep int(rand 60);
$network = `ifconfig -a inet 2>/dev/null | sed -n -e '/127.0.0.1/d' -e '/0.0.0.0/d' -e '/tunnel/d' -e '/inet/p' | wc -l`;

$serial_number1 = `system_profiler 2> /dev/null | grep "Customer serial number"`;
@serial_number2 = split (' ', $serial_number1);
$url = "http://yourserver.edu/$serial_number2[3].html";
$useragent = "Thief Killer (Mac OS X)";
if ( $network == 1 ) {
  $status = `curl -A "$useragent" $url`;
}

System Profiling
  • Apple Remote Desktop is capable of producing machine reports. Use these to make sure that nothing has changed.
  • If you don't have ARD, system_profiler will generate a text report. A simple "system_profiler | grep DIMM" will tell you what RAM is installed in your computer. You can also use system_profiler to get the machine serial number and ethernet address.

Boot Security

Open Firmware
Open Firmware is how you ensure that users don't change the boot disk. Please read the detailed instructions to learn how more about Open Firmware, how to set it, and how to verify that it stays set.

Single User Mode
  • SecureIt will prevent anyone from accessing single user mode without a password. A must have for Macs that are too old to have open firmware password. This is nice even on Macs that have open firmware password, just in case you forget to set it. Please read the detailed installation instructions.
Old Hardware
  • Unplug zip and CD drives in hardware that does not support open firmware password.
Classic
  • Do not dual boot. If you do, there is no way you can count on any kind of security. PERIOD.
  • Lock Startup Disk prefs.
  • Use a disk image. See: ShadowClassic. Also read this forum posting: Using Classic from a read-only disc image.

Published Exploits

Mac OS X has had many published holes. If you want to keep your systems safe, you must be able to push out an updated system ASAP. Choose whatever maintenance software you want. Just be aware that some will require much more time to push out an update. We recommend Radmind. Radmind has a steep learning curve, but it can push out an update to over 500 Macs in one day, if you really needed to.

Maintenance Software
Security Notifications
Stay on top of published exploits by knowing about them first. Following is a list of the major security sites. Be aware that these sites usually post notifications after there is a fix. If you want to be notified before it gets posted on these sites, you have to be participate in the mail lists and forums where they discuss lab deployment issues.

Security Notifications - Mac OS X Specific
General Security
If you have alot of time, you may consider visiting these websites often as well.

Passwords

It is very easy to get the encrypted password on a Mac OS X box with local users. 10 years ago the encrypted passwords were safe. Today, it is possible to crack an encrypted password because our computers are so fast. Please read more about passwords.

Admin System Changes

Realize that every change you make to the system is a potential security hole. Examples include enabling root, adding startup items, loginhook, logouthook, or cron jobs.
  • How to write secure code. (link dead)
    • Use full paths
    • Use trusted system calls.
    • Check input.
    • Don't do anything in public space.
    • Take into account your script may not finish because the Mac is force restarted. What would it do next time it is run?
  • Check permissions, check permissions, check permissions (see next section).

World Writable

Track Software Installs
  • Radmind. The key tool here is fsdiff.
  • File Buddy. Use the "Take Snapshot" and "Compare Snapshots" menu items.
Applications that want world write rights to non-user space.
Find world writable
  • Use "sudo find / -perm -2"
  • Who Owns What
  • Startup script that runs "sudo find / -perm -2" and notifies you if there is a problem.

#!/usr/bin/perl

@ignoreList = ("/Library/Caches", "/Library/ColorSync/Profiles", "/System/Library/Caches", "/System/Library/User Template", "/Users/student", "/Users/admin/student_template", "/Volumes", "/core", "/dev", "/private/tmp", "/private/var/run", "/private/var/tmp");
$logger = "/usr/bin/logger"; # Your logger

@dirs = `find / -perm -2`;

foreach $i (@dirs) {
  chomp $i;
  $flag = 1;
  foreach $j (@ignoreList) {
    if ( index ($i, $j) == 0 ) {
$flag = 0;
last;
    }
  }
  if ($flag) {
    push (@final_list, $i);
  }
}
$size = @final_list;
if ( $size > 0 ) {
  system "$logger "I have writable folders @final_list."";
}
#Option section, might break stuff...
#foreach $i (@final_list) {
#  system "chmod o-w $i";
#}
exit 0;


Network Sniffing

  • Use a smart switch!
  • Turn port security on so laptops will not work. Ports will only work with one CPU
  • Use a encrypted applications: ssh, sftp, ssl email transfer. Not telnet, ftp, non-ssl email transfer.
  • Be aware a switched network isn't as secure as you think. Read why.

Logout

  • It is possible to launch processes that will not quit at logout. Read more about nohup.
  • Add to logouthook: "killall -u $1" (this is ungraceful approach)
  • Leave loginwindow and other system processes running, but kill all other user processes with the killsumapps script. Be sure to give it a username.
    • PERL:
      system "/path/to/killsumapps.pl $ARGV[0]";
    • SHELL:
      /path/to/killsumapps.pl $1
  • Neither of the above methods will kill SUID root applications like top.

Services

Scan yourself now
Firewall
Allow lists
  • sudoers. Remove "%admin" from /etc/sudoers and replace with your admin username using the visudo command (see visudo man page).
  • sshd. Add "AllowUsers username1 username2 etc" to /etc/sshd_config (see man sshd_config). The users allowed are separated by spaces. Change "Protocol 2,1" to "Protocol 2" in /etc/sshd_config. Also, sshd uses TCP-Wrappers.
  • Enable TCP-Wrappers. Read more about TCP-Wrappers.
  • xinetd uses TCP-Wrappers, or you can configure it even more (see man xinetd.config).
  • Apache, read about allow lists, and use this:
    • <Directory "/Library/WebServer/Documents">
      AllowOverride None
      Order deny,allow
      Deny from all
      </Directory>
  • Cron
    • chmod -R o-rx /etc/crontab
      chmod -R o-rx /etc/periodic
      echo root > /var/cron/allow

The Unknown

Tripwire Security Scanners
  • Nmap (Mac OS X version: NmapFE). Read about Nmap.
  • Nessus (Mac OS X faq).
  • MacAnalysis. We have negative opinions about this application, but we thought it deserves mentioning. Initially we thought it was really awesome and wrote this review (written in 2002). Our current opinion is negative because MacAnalysis never reports any problems. Either that is because MacAnalysis isn't doing anything, or Mac OS X is *really* secure, which would explain why there hasn't been a single security update from Apple... Also, it can not be automated. And it constantly asks for a new serial number, which we have to get from the developer. We just quit using it and are very unhappy with it.
Log checker
  • Use a central logger. More info coming*.
  • Use a log checker. More info coming*.
  • Turn on extra logging in xinetd (see man xinetd.config)
Turn on process accounting
  • "mkdir /var/account"
  • "touch /var/account/acct"
  • "accton /var/account/acct" or reboot
  • "chmod o-rx /usr/bin/lastcomm"
  • "chmod -R o-rx /var/account"
Forensics
If you really have been hacked, you should turn off the computer, and don't turn it back on without talking to the police or your security department. You will probably have to remove the hard disk and turn it over to them. If you are the security department, and you don't know what you are doing, well, here are some things you can read.
  • Get involved in the Mac OS Forensic and Analysis Yahoo Group. Some of the world's best Mac OS X forensic experts are in that group.
  • Forensic Analysis of a compromised Mac OS X (Client) Machine
  • Here is a Word document that demonstrates what a detailed forensics analysis looks like: Roland_Miller_GCFA.doc
  • Watch network packets with tcpflow (see here for Mac OS X info).
  • On a running box, you can use these preinstalled Unix utilities (assuming that they haven't been modified by a hacker to not show you any problems).
    • "sudo tcpdump -n" to see network packet headers (using IP's and not DNS names).
    • "sudo netstat -f inet" to see the tcp listings.
    • "sudo netstat -tan" to see all network and local sockets in use.
    • "sudo lsof" to see open files. As root, it will show you the open network sockets for all programs running on your system.
  • MacSniffer for analyzing network traffic.
  • Inspect hard disks without the system modifying them by using BlackBag's FireBox or WiebeTech's Forensic DriveDock. (link dead)

Links


Books


Table Of Contents
    Discusses the dangers of having SSH enabled on a computer as well as recommended precautions such as disabling protocol 1, setting up user access lists, setting up IP access lists, changing the default port, and turning on the firewall.

    Learn how to install and set up FCheck.

    What do you get when you mix fast computers, large hard disks, lots of RAM, fast internet connections, a UNIX OS, public access to the CPU, and no monitoring? A really nice public computer lab. However, add one really smart cracker, and soon you have a really nice public lab of unauthorized internet servers. While Mac OS X is secure, it isn't impenetrable, and it is gold mine. Someday, across University campuses everywhere, really smart crackers are going to realize that cracking into convenience store safes aren't as profitable as cracking into bank vaults. When they finally realize this, it would be nice if lab admins already have security systems ready to stop them. NMap is a tool that scans a computer's network ports. Make sure that your computers don't have network ports open that shouldn't be open by using a script and cron to automate nmap scans. James will discuss and demonstrate automating nmap in our labs.

    Learn what an open firmware password is, how to set one, and how to verify one.

    There are 2 types of password vulnerabilities. One is a plain brute force login attempt. That is when a user (or more likely script) tries to login with common usernames and passwords until a match is found. This is a common network attack against ssh. The other is type of vulnerability is when the "encrypted" password file is obtained. It is getting continually easier and easier to crack the encrypted password files, almost to the point that they are useless. So keeping them safe is getting to be the only way to protect yourself from this, unless you have the resources to use 2-factor authentication, like a password PLUS fingerprint/retina scan.

    Discusses a single user mode vulnerability and how to avoid this vulnerability using SecureIt.

    Discusses TCP Wrappers and how to configure it.