S 4.373 Deactivation of unnecessary hardware under Mac OS X
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
All devices and interfaces which are not required under Mac OS X should be deactivated. If, for example, web cams or microphones are not permitted in a company or government agency, the corresponding kernel extension (kext) can be deleted to make accessing the hardware and potential tapping more difficult.
The kexts are located in the following directory:
/System/Library/Extensions
Then, the corresponding kexts are selected and deleted securely.
| WLAN file name of the kernel extension | Function of the kernel extension |
|---|---|
| WLANIOBluetoothFamily.kextBluetoothAppleAirPort2.kextAppleAirPort.kext | WLAN |
| IOBluetoothHIDDRiver.kextAppleAirPortFW.kext | Bluetooth |
| AppleIRController.kext | Infrared receivers |
| AppleOnboardAudio.kext | Audio |
| AppleUSDAudio.kext | Audio |
| AudioDeviceTreeUpdater.kext | Audio |
| IOAudioFamily.kext | Audio |
| VirtualAudioDriver.kext | Audio |
| Apple_iSight.kext | Video |
| AppleUSBVideoSupport.kext (This file is located within IOUSBFamily.kext in the directory /Contents/PlugIns.) | Video |
| IOUSBMassStorageClass.kext | USB mass storage device |
| IOFireWireSerialBusProtocolTransport.kext | FireWire |
Afterwards, the following command must be executed to update the modification date of the folder. Thus, the extension cache is deleted and reloaded.
sudo touch /System/Library/Extensions
Before the kernel extensions are deleted securely from the Recycle Bin to prevent any simple restoration, the data should be backed up on a network drive, for instance. This copy should be stored at a secure location and only be accessible by administrators.
Even if a kext was removed to prevent the corresponding hardware from being accessed, it is possible that the software has been replaced by a newer version, for example after an Apple software update. Therefore, it should be checked after a system update if the kexts are still deleted. All changes to Mac OS X relating to the kexts must be documented at a suitable location.
When removing the Kernel extension is not considered to be sufficiently secure, it is possible to physically remove the corresponding hardware components.
Review questions:
- Were all devices and interfaces which are not required under Mac OS X deactivated?
- Is it checked after a Mac OS X system update if the kernel extensions are still deleted?
- Were the original kext files of Mac OS X stored in a secure location for any restoration required?
- Were the changes to Mac OS X included in the documentation?