S 4.371 Configuration of Mac OS X clients
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
After Mac OS X has been installed on the clients, they must be configured. The settings required in each case mainly depend on the intended purpose. This safeguard describes the secure client configuration.
The following aspects must be considered for the secure basic configuration of a Mac OS X system:
Updating the operating system
In general, an operating system should be updated immediately after the installation to eliminate known errors in software components. In addition, it should be checked at regular intervals if there are program updates. Under Mac OS X, this configuration can be made in the system settings under "Software update".
To use the swupdate.apple.com update server, the following command line command can be used:
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL http://swupdate.apple.com:8088/index-leopard-snowleopard.merged-1.sucatalog
To update the operating system using the command line command, the command "softwareupdate --download --all --install" can be executed. For the installation of updates, administrator rights are absolutely necessary. If there is an internal update server in the local network, it should be used.
Defining an internal Apple update server
To keep the Mac OS X operating system up to date, the integrated update function can be used. It is recommended to use a separate internal update server. Thus, internal network connections can be used and higher transfer rates achieved. Less exchange of data with the Internet is required and the updates must be examined for viruses or changes only once. Another reason for an internal update server is that the compatibility between the update and the existing software components can examined properly, before an update is distributed in the entire network.
Lowering the validity period of the sudo command
If the sudo command was used to execute a program with root privileges and to enter the corresponding password, the password remains stored for five minutes. Even if the console process is closed and a new console window opened, there is no new request for entering a password and any programs can be executed with root privileges. Therefore, the /etc/sudours file should be changed as follows:
Defaults timestamp_timeout=0
Defaults tty_tickets
Thus, it is achieved that only a command with root privileges can be executed for each authentication and that only the authentication information is connected to the respective terminal process in which the authentication has taken place.
Reducing the list of the objects used last
Mac OS X stores a list of the applications, documents and server connections used last. In this case, this information makes the work much easier; however, it is also possible to deduce confidential information, for example, which documents were recently worked with or the addresses of the servers used last. To restrict this information to a minimum, the "Remembering used objects" setting can be changed in "None" in the system settings under appearance. As an alternative, this can be done via the command line command:
defaults write com.apple.recentitems Applications -dict MaxAmount 0
Deactivating the automatic opening of "secure files" in Safari
The supplied Safari browser by Apple offers the possibility to open files directly after a download using the linked program. This setting makes it also possible to execute files that could contain malicious codes automatically and without prompting for confirmation. If, for example, a prepared PDF file is downloaded from an insecure source such as a manipulated website in the Internet and opened automatically, attached malicious codes could be executed, resulting in data losses or other problems. To deactivate automatic opening, the "Opening secure files after the download" item must be deactivated in the Safari settings under the menu tab "General".
Installation of a virus protection program
On each Mac OS X client, a virus protection program must be installed. In this context, it must be ensured that its signatures are updated at regular intervals. The virus protection program should run in the background and carry out a virus scan at least when accessing a file. Additional information can be found in safeguard S 4.3 Use of virus protection programs. Here, it should be that the virus protection program also detects malicious software for Windows systems so that it is possible to safely communicate with Windows systems.
Data backups
To lose as little information as possible in the event of an incident and to be able to continue to work normally quickly, a regular data backup should be performed. Detailed information can be found in the safeguard S 6.146 Data backup and restoration of Mac OS X clients.
Adapting the time zone and time synchronisation
On each IT system, time and date should be set correctly. If the time difference between the two IT systems is too large, errors can occur during authentication. For example, the Kerberos log requires that the time and date are set correctly. In the system settings under "Date and time", it is possible to view and change the currently set time and date. It is recommended to use a separate, preferably internal, time server. If this is not possible, an external time server can be used, for example the ptbtime1.ptb.de time server of the Physikalisch-Technische Bundesanstalt (PTB) in Braunschweig (see S 4.227 Use of a local NTP server for time synchronisation).
Activating "Secure emptying of the Recycle Bin"
To prevent files believed to have been deleted from the Recycle Bin under Mac OS X from being restored, the Recycle Bin should be emptied at regular intervals. In addition, Mac OS X offers the "Secure emptying" setting by means of which the operating system overwrites the files with a bit pattern after the Recycle Bin has been emptied. To activate these settings, the Finder must be opened and the "Securely emptying the Recycle Bin" item must be ticked in the "Extended" section.
Deactivating the Autostart function
The Autostart function allows immediate execution of programs from external data media when they, for example CDs, DVDs or external hard disks, are connected to the computer. Since the programs executed automatically using this function could also contain malicious software, this function should be deactivated for each user. In the system settings under CDs & DVDs, the "No action" option must be defined for all listed parameters.
Notes: The Autostart function is only effective when the inserted medium is identified as blank CD/DVD, "Music CD", "Picture CD" or "Video CD" of Mac OS X.
These settings can also be defined via the console:
# Disable blank CD automatic action:
defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.blank.cd.appeared -dict action 1
# Disable music CD automatic action:
defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.cd.music.appeared -dict action 1
# Disable picture CD automatic action:
defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.cd.picture.appeared -dict action 1
# Disable blank DVD automatic action:
defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.blank.dvd.appeared -dict action 1
# Disable video DVD automatic action:
defaults write /Library/Preferences/com.apple.digihub
com.apple.digihub.dvd.video.appeared -dict action 1
Removing unnecessary programs
With Mac OS X, several programs which should be removed to minimise potential points of attack are installed by default. These programs include for example games or various multimedia applications. Depending on the local conditions, however, it must be assessed which programs are necessary and which are to be removed. On productive systems, only the programs required for the work to be carried out may be installed. If standard programs were removed, these modifications must be documented.
The following programs should be removed at a minimum:
- AppleScript folder including its contents
- Automator
- Chess
- Front Row
- iTunes
- iChat
- Photo Booth
- QuickTime
- Dashboard
After selecting the boot drive, the programs can be found in the Finder in the "Programmes" directory. Some of these programs are also stored in the Mac OS X Dock. These references must also be removed.
Alternatively, the Dashboard can be deactivated using the following command line command:
defaults write com.apple.dashboard mcx-disabled -boolean yes
In each case, all "widgets" should be deleted from the Finder | Hard Disk | Library | Widgets directory. Additionally installed widgets can be located in the respective user directories under Library | Widgets. As an alternative, a search for "*.wdgt" can be carried out to find and remove all widgets on the system.
Activating "Secure virtual storage"
If there is not sufficient free memory space, the storage behaviour of Mac OS X provides storing parts of the memory contents on the local hard disk. These data are stored in a "swap" file in unencrypted form and can sometimes contain sensitive information. When the IT system is turned off, all files in the memory are rejected. The data in the stored "swap" file, however, also remains after a reboot until it is overwritten. If the system has been set to the Hibernation Mode, the entire contents of the memory are backed up in the already existing "swap" file in unencrypted form in a "sleepimage" in addition to this. If "Using secure virtual storage" is activated, the data in the "swap" and in the "sleepimage" files are only stored only in unencrypted form on the local hard disk. The secure virtual storage can be activated under "System Settings | Security | General | Using secure virtual storage". As an alternative, this setting can also be configured in the "Terminal" application using the following command:
defaults write /Library/Preferences/com.apple.virtualMemory UseEncryptedSwap -bool YES
Deactivating localisation services
Using the data from WLAN networks, it is possible to determine the approximate location of a Mac OS X client. This location information can be used to automatically set the system services such as the time zone for the current date and time. However, websites with a localisation function can also use this information to determine the location of the website visitors. This can be useful, but also problematic from a data protection and security perspective. For example, the location of the next cash machine or post office can be displayed using the localisation services. If a website wants to localise the location, usually a dialogue box appears, asking for the permission of the user to do so. Still, the localisation services should be generally deactivated in the system settings under "Security | General".
Deactivating automatic login
Automatic login on the system must be deactivated. If it is possible to log in on a Mac OS X system without query for a password, many security functions are bypassed. The "Deactivating automatic login" option can be found in the system settings under "Security" in the "General" menu tab and must be activated.
Activating the screen lock
If the screen saver or the sleep mode are terminated, a new query for a password for the currently logged in user is absolutely necessary. The "Password required" option:
- immediately
- 5 seconds
- 1 minute
- 5 minutes
- 15 minutes
- 1 hour
- 4 hours
after the start of the sleep mode or screen saver can be found in the system settings under "Security" in the "General" menu tab and must be activated. This value should be selected as low as possible. It is recommended to set this value to a maximum of 15 minutes (see also S 4.2 Screen lock).
Logging out after X minutes of inactivity
If the IT system is in the idle state for a longer period of time, logging the user out automatically can make sense. The "Logging out after X minutes of inactivity" option can be found in the system settings under "Security " in the "General" tab and can be activated. This value must be selected as low as possible. If the system is to automatically log out the user after a certain period of time, it is recommended to set this value to 15 minutes.
Activating the firmware password
To prevent any changes to the system firmware, the firmware password should be activated. If this password is activated, no changes to the settings such as the boot options can be made without authentication. On the installation DVD of Mac OS X, an application with the name "Open Firmware Password Utility" can be found, by means of which the firmware password can be set and reset.
In addition to the password protection of the firmware, it is possible to choose between three different security modes using the system's own NVRAM tool. The respective mode is selected using the terminal commands within the operating system:
- None: This setting does not provide any protection of the Extensible Firmware Interface (EFI) of a Mac OS X system and the default value is as follows:
$ sudo nvram security-mode = none - Command: This setting offers a password protection against changes to the firmware and against booting from another medium or data medium than the system partition.
$ sudo nvram security-mode = command - Full: Based on the "Command" setting, this security policy offers an overall system password when booting and rebooting the computer.
$ sudo nvram security-mode = full
The default value should be raised from "none" to at least "command".
Notes: The NVRAM tool requires administrator or root authorisations to implement the security recommendation. In addition, it must be considered that the firmware password is not stored in the NVRAM in encrypted form, but in plain text in hexadecimal form. Each system administrator is able to read this password.
Increasing the security of the bunch of keys
The password of the bunch of keys should be changed so that it no longer corresponds to the password of the user logged in. This prevents a person who gains unauthorised access to the computer from also gaining access to all information in the bunch of keys. To change the password, the "bunch of keys" application must be called from the service programs and the "Changing the password for bunch of keys "login"" option under the "Edit" menu item must be selected. Thus, the synchronisation between the password of the user account and the password of the bunch of keys is removed. In addition, the "Changing the settings for bunch of keys "login"" option should be called to activate the "Protection after X minutes of inactivity" and "Protection when changing in the sleep mode" options. In case of the first option, it is recommended to set a period of 15 minutes.
Using the query for a password for each system setting
The "Query for a password for the release of each protected system setting" should be activated so that only administrators are able to change the system settings. In addition to this, this setting ensures that only released system settings can be changed in the event of unauthorised access. The "Query for a password for the release of each protected system setting" option can be found in the system settings under "Security" in the menu tab "General".
Deactivating the guest user account
Under Mac OS X, the guest user account is activated by default and must be deactivated together with the access to shared folders for guests. Under "System Settings | User | Other Accounts | Guest Account", the "Allowing guests to access shared folders" option must be deactivated.
Manual modification of the configuration files
To change the system configuration under Mac OS X, the configuration files can be modified using a text editor, command line call, or a graphical user interface. When using several methods to change the system, this may create inconsistencies because the changes are often stored in different configuration files and no synchronisation is made between these files. Moreover, security settings may cancel each other out or complicate the administration of the client under Mac OS X.
If, for example, a user is enabled using a text editor in the SSH configuration file "sshd_conf" and another user is released via the graphical user interface in the system settings for "Remote login", neither of these users will be able to log in on the system via SSH.
Therefore, it should be defined which method to adapt the configuration files is used under Mac OS X. All administrators must be informed about this approach.
Review questions:
- Are there rules and regulations on how to configure Mac OS X?
- Is it ensured that the operating system and the application programs are updated after the installation?
- Was the automatic opening of "secure files" by Safari deactivated under Mac OS X?
- Were the guest user account and the Autostart function of Mac OS X deactivated?
- Was a firmware password set for MAC OS X?
- Was the validity period of the sudo command lowered?