S 3.211 Client under Mac OS X
Description
This module handles the Mac OS X client operating system by the company Apple. The X in Mac OS X stands for the Roman numeral 10, but can also be considered as a reference to the X in Unix, Linux, AIX, and other Unix derivatives.
Mac OS X is based on Darwin, the free Unix operating system of the company Apple. Darwin is an open source kernel based on FreeBSD. The major difference between FreeBSD and Mac OS X is the lack of the "Aqua" graphic interface in FreeBSD.
Mac OS X can only be installed on IT systems from the company Apple. Variations of Mac OS are also used in other Apple products such as iPhone, iPad or iPod touch. This module is based on the "Snow Leopard" client version (Mac OS 10.6), but can be applied to all versions of Mac OS X where the discussed software components (e.g. FileVault in version 10.3 and higher, Dashboard in version 10.4 an higher or Time Machine in version 10.5 and higher) are available.
The security of an operating system plays an important role in security throughout an information system. Weaknesses at operating system level can adversely affect the security of all applications and the entire network. The focus in this module is on the protection of an IT system running Mac OS X operated as a stand-alone system or a client in a client/server network.
Threat scenario
The following typical threats to the IT-Grundschutz are assumed to exist when using individual IT systems running the Mac OS X operating system.
Force Majeure
| T 1.2 | Failure of the IT system |
| T 1.4 | Fire |
| T 1.5 | Water |
| T 1.8 | Dust, soiling |
Organisational Shortcomings
| T 2.1 | Lack of, or insufficient, rules |
| T 2.9 | Poor adjustment to changes in the use of IT |
| T 2.19 | Inadequate key management for encryption |
Human Error
| T 3.2 | Negligent destruction of equipment or data |
| T 3.3 | Non-compliance with IT security measures |
| T 3.6 | Hazards posed by cleaning staff or outside staff |
| T 3.8 | Improper use of the IT system |
| T 3.9 | Improper IT system administration |
| T 3.108 | Incorrect configuration of Mac OS X |
| T 3.109 | Inappropriate handling of FileVault encryption |
Technical Failure
| T 4.7 | Defective data media |
Deliberate Acts
| T 5.2 | Manipulation of information or software |
| T 5.7 | Line tapping |
| T 5.9 | Unauthorised use of IT systems |
| T 5.18 | Systematic trying-out of passwords |
| T 5.21 | Trojan horses |
| T 5.23 | Malicious software |
| T 5.40 | Monitoring rooms using computers equipped with microphones and cameras |
| T 5.71 | Loss of confidentiality of classified information |
| T 5.83 | Compromising cryptographic keys |
| T 5.85 | Loss of integrity of information that should be protected |
Method recommendation
To secure the information system under consideration, other modules in addition to this module must be implemented depending on the results of the modelling process performed according to the IT baseline protection guidelines. This includes the module S 3.1 General client. If Mac OS X is operated on a laptop, module S 3.3 Laptop must also be taken into account.
This module describes safeguards to protect a client running Mac OS X which has normal protection requirements. Only applications are considered which are included in the standard functional range of Mac OS X.
A series of safeguards must be implemented to securely configure clients running Mac OS X, starting in the planning and design phase, through the installation phase, and up to the operation phase. The steps to take to accomplish this as well as the safeguards to consider in each of the steps are listed in the following.
Planning and Design
Clients running Mac OS X should not be used in an institution without their use being planned and co-ordinated with the internal security policies, as described in S 2.478 Planning the use of Mac OS X. To accomplish this, among other things, it is necessary to clarify the requirements for the use of Mac OS X and to create descriptions of the user and administration concept as well as recommendations on an adequate data backup and encryption scope. S 4.375 Use of the sandbox function under Mac OS X describes a method to restrict the rights of applications under Mac OS X. It is also necessary to clarify in advance which applications are to be executed in a sandbox and which access rights are to be granted to these applications. The use of the program access control under Mac OS X must also be planned, since a stricter client configuration must be used depending on the field of use. Information can be found in S 4.378 Limiting access to programmes under Mac OS X. Since the password strength significantly contributes to the security of an IT system, it must be planned in advance which properties a password must have. The recommendations in S 4.376 Specifying password policies under Mac OS X should be implemented as a minimum.
Implementation
When installing a client under Mac OS X a series of safeguards increasing the level of security of the system must be implemented. "Hardening" the systems increases the level of security by closing gaps which normally exist after a standard installation. Corresponding recommendations can be found in S 4.371 Configuration of Mac OS X clients. Subsequently, safeguard S 4.374 Access protection of user accounts under Mac OS X should be implemented for each user account to increase the level of security for each account. The use of the personal firewall of Mac OS X does in no event replace a security gateway, but should nevertheless be enabled and properly configured. Safeguard S 5.166 Configuration of the Mac OS X Personal Firewall contains information on this subject. Safeguard S 4.372 Use of FileVault under Mac OS X can be applied to encrypt the user folder.
To keep the number of services offered by a client running Mac OS X in the network as low as possible and to thus reduce the number of opportunities for attacks, as many network services as possible should be disabled (see S 5.165 Deactivation of unnecessary Mac OS X network services). It may also make sense to disable unnecessary hardware, for example, in order to prevent misuse of computer microphones or cameras(see S4.373 Deactivation of unnecessary hardware under Mac OS X).
Operation
The smooth operation of Mac OS X clients should be ensured by regular checks and analyses of the log files. Particular attention should be paid to irregularities. Information on this subject can be found in safeguards S 4.26 Regular security checks of Unix systems and S 4.25 Use of logging in Unix systems. If confidential information is to be transported or stored outside the user folder, the users must be informed about and trained in safeguard S 4.379 Secure data management and transport under Mac OS X. In addition, administrators must be informed about safeguard S 4.377 Checking the Mac OS X signatures to be able to check every new application for its valid signature.
Disposal
In case of disposal or withdrawal from service of a system it must be ensured that no third party gains access to security-related information. For this reason, not only removable media, but also locally stored user data must be reliably deleted, if the storage medium or the IT system is disposed of. Safeguard S 6.148 Disposal of a Mac OS X system must be implemented for secure deletion of information under Mac OS X.
Contingency Planning
In order to resume normal operation as quickly as possible following a hardware failure or data loss, the recommendations of safeguards S 6.146 Data backup and restoration of Mac OS X clients and S 6.147 Restoring system parameters when using Mac OS X should be implemented. Safeguard S 4.380 Use of Apple Software Restore under Mac OS X contains additional information on how to create an identical copy of a system. This system image can be used to restore a client under Mac OS X or to load a default image to all Mac OS X clients via the network.
The bundle of security safeguards to be used for the "Mac OS X" module is presented in the following:
Planning and design
| S 2.478 | (A) | Planning the use of Mac OS X |
| S 2.479 | (A) | Planning the Mac OS X security policies |
| S 4.374 | (C) | Access protection of user accounts under Mac OS X |
| S 4.375 | (Z) | Use of the sandbox function under Mac OS X |
| S 4.376 | (C) | Specifying password policies under Mac OS X |
| S 4.378 | (Z) | Limiting access to programmes under Mac OS X |
| S 5.64 | (Z) | Secure Shell |
Implementation
| S 4.106 | (A) | Activation of system logging |
| S 4.371 | (C) | Configuration of Mac OS X clients |
| S 4.372 | (C) | Use of FileVault under Mac OS X |
| S 4.373 | (C) | Deactivation of unnecessary hardware under Mac OS X |
| S 5.165 | (C) | Deactivation of unnecessary Mac OS X network services |
| S 5.166 | (Z) | Configuration of the Mac OS X Personal Firewall |
| S 5.167 | (C) | Secure remote access under Mac OS X |
Operation
| S 4.25 | (A) | Use of logging in Unix systems |
| S 4.26 | (C) | Regular security checks of Unix systems |
| S 4.377 | (Z) | Checking the Mac OS X signatures |
| S 4.379 | (B) | Secure data management and transport under Mac OS X |
Disposal
| S 6.148 | (C) | Disposal of a Mac OS X system |
Contingency Planning
| S 4.380 | (W) | Use of Apple Software Restore under Mac OS X |
| S 6.31 | (A) | Procedural patterns following a loss of system integrity |
| S 6.146 | (A) | Data backup and restoration of Mac OS X clients |
| S 6.147 | (A) | Restoring system parameters when using Mac OS X |