 |
|
|
Mac OS X Server Hardening Checklist
The hardening checklists are based on the comprehensive checklists produced
by CIS. The Information Security Office has
distilled the CIS lists down to the most critical steps for your systems,
with a particular focus on configuration issues that are unique to the computing
environment at The University of Texas at Austin.
How to use the checklist
Print the checklist and check off each item you complete to ensure that
you cover the critical steps for securing your server. The Information
Security Office uses this checklist during risk assessments as part of the
process to verify that servers are secure.
How to read the checklist
Step - The step number in the procedure. If there is a UT
Note for this step, the note # corresponds to the step #.
Check (√) - This is for administrators to check off
when she/he completes this portion.
To Do - Basic instructions on what to do to harden
the respective system
CIS - Reference number in the Center for Internet
Security Mac OS X Benchmark
(PDF, Requires UT EID login.) The CIS document outlines in much greater detail
how to complete each step.
UT Note - The UT Note at the bottom
of the page provides additional detail about the step for the university
computing environment.
Cat I - For systems that include category
I data,
required steps are denoted with the ! symbol. All steps are
recommended.
Cat II/III - For systems that include category
II or III data, all steps are recommended, and some are required (denoted by
the !).
Min Std - This column links to the specific requirement
for the university in the Minimum Security Standards for Systems document.
Server Information
| MAC Address | |
|---|
| IP Address | |
|---|
| Machine Name | |
|---|
| Asset Tag | |
|---|
| Administrator Name | |
|---|
| Date | |
|---|
| Preparation and Installation |
|---|
| Step |
√ |
To Do |
CIS |
UT Note |
Cat I |
Cat II/III |
Min Std |
1 |
|
If machine is a new install, protect it from hostile network traffic until the operating system is installed
and hardened. |
n/a |
§ |
! |
|
5.1 |
2 |
|
Consider installing Bastille
for Mac OS. |
n/a |
§ |
! |
|
n/a |
3 |
|
Enable Open Firmware Password. |
1.3 |
§ |
! |
|
4.1 |
4 |
|
Enable automatic notification of new patches and patch if necessary. |
3.3.5 |
§ |
! |
|
5.3 |
| OS Foundation |
|---|
5 |
|
Time synchronization/configure an NTP server. |
2.2 |
§ |
! |
|
n/a |
6 |
|
Enable logging/process accounting. |
2.3.2 |
§ |
! |
|
6.1 |
7 |
|
Enable logcheck. |
n/a |
§ |
! |
|
6.4 |
8 |
|
If services are running - ensure the university warning banner is utilized. |
2.4 |
§ |
! |
|
5.10 |
| System Services |
|---|
9 |
|
Services, applications, and user accounts that are not being utilized should be disabled or uninstalled. |
3 |
§ |
! |
|
5.4 |
10 |
|
Limit connections to services running on the host to authorized users
of the service (utilize firewall technology). |
3.2 |
§ |
! |
|
5.5 |
| Additional Steps |
|---|
11 |
|
Integrity checking of system accounts,
group memberships, and their associated privileges should be enabled
and tested. |
4 |
§ |
! |
|
5.9 |
12 |
|
Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate. |
4.1.2 |
§ |
! |
|
5.7 |
13 |
|
Services or applications running on
systems manipulating Category I data should implement secure (that
is, encrypted) communications to ensure Category I data does not traverse
the Internet in clear text. |
n/a |
§ |
! |
|
5.6 |
14 |
|
If the operating system supports it,
integrity checking of critical operating system files should be enabled
and tested. Third-party tools may also be used to implement this. |
n/a |
§ |
! |
|
5.8 |
15 |
|
Install and enable anti-virus software. |
n/a |
§ |
! |
|
3.1 |
16 |
|
Configure to update signature daily
on anti-virus software. |
n/a |
§ |
! |
|
3.3 |
UT Note: Addendum
This list provides specific tasks related to the computing environment at The University of Texas at Austin.
| 1 |
If other alternatives are unavailable, this can be accomplished by
installing a SOHO router/firewall in between the network and the host
to be protected. |
| 2 |
One easy tool that helps harden Linux computers is a tool called “Bastille
UNIX.” The same tool has been used to harden Mac
OS X. NOTE:
Bastille may have compilation issues on Tiger. |
| 3 |
Enable Open Firmware password appropriate for your OS version:
- For Mac OS X 10.1 to 10.3.9, download the Open
Firmware Password Application.
- For Mac OS X 10.4 or later, you
must use the updated version that can be copied from the software
installation disc (located at /Applications/Utilities/ on the disc).
|
| 4 |
Verify software update is set:
- Open System Preferences and click Software Updates.
- Click Check for Updates and set the interval to Weekly or Daily.
- If you have Microsoft Office 2004 installed, launch /Applications/Microsoft
AutoUpdate.app, click Automatically and set the interval to Weekly
or Daily.
- If you have other applications that provide security updates, such
as Adobe products configure them to update Weekly or Daily too.
|
| 5 |
ITS Telecommunications and Networking operates two stratum 2 NTPv4 (NTP
version 4) servers for network
time synchronization services for university network administrators. |
| 6 |
Turn on process accounting:
- "mkdir /var/account"
- "touch /var/account/acct"
- "accton /var/account/acct" or reboot
- "chmod o-rx /usr/bin/lastcomm"
- "chmod -R o-rx /var/account"
|
| 7 |
logcheck - http://www.hmug.org/UnixHowTos/index.php?logcheck - On Tiger Server, with Open Directory, there is a required admin user
called "diradmin" that should be secured/access logged. As with any logs, the more detail the better. |
| 8 |
The text of the university's official
warning banner can be found on the ITS Web site. You may add localized
information to the banner as long as the university banner is included.
To add the warning information to the message of the day file, edit
/etc/motd and paste the text from the university’s warning banner
in this file.
To change the banners for GUI login, refer to the CIS document. The procedure
is fully described there. |
| 9 |
The list of available services can be found in System Preferences
under the Services tab of the Sharing icon. Be especially
wary of sharing services; misconfiguring this setting could grant full
access to important files or system resources. Much more detailed
information regarding services is available in the CIS benchmark documents. For
example, SSH/Remote Login is on by default out-of-the-box. Unless it
is being utilized, turn it off in ‘sharing system preferences.’ |
| 10 |
Administrators may find the firewall native to Mac OS X, ipfw, robust
and easily managed.
http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/ipfw.8.html
Another OS X firewall option is the Norton Personal Firewall, available
from BevoWare.
You may also want to refer to the list
of Mac OS X network service
ports from Apple KB 106439.
NOTE: OS X Panther has known bugs with its implementation
of ipfw. It is strongly recommended to review the details of the related
bug or use a more recent version of OS X. |
| 11 |
BSD Files
- Check in /groups/admin to see who has admin privileges.
- Check in /etc/passwd
to look for blank passwords.
OpenDirectory
Users
List all users with the nireport utility:
$ nireport . /users uid name home realname shell
Groups
To list all of the groups IDs (GIDs) and group names for the local
domain, use the nireport utility:
$ nireport . /groups gid name
Passwords
- Utilize pwpolicy to set global, or per user, password policies. Using
pwpolicy, one can set expiry date, require alpha or numeric characters,
set max failed login counter, and password length, among others.
- Check the strength of users’ passwords with tools such as John
the Ripper.
- Seek approval from the IT Owner. Consider using a simple dictionary for easily guessed passwords.
- Develop a procedure to report and remediate easily guessed passwords.
|
| 12 |
There are a variety of methods available to accomplish this goal.
Mac OS X comes with FileVault. NOTE:
FileVault works with local home directories only, not home directories
on the server or any other kind of data. Instead, REALLY important
data could be secured by putting on encrypted disk images (which FileVault
does), but it will be neither automatic nor transparent to the
user.
Two other good candidates are PGP (cost)
and GNUPG (free). |
| 13 |
If you decide to use Remote Login (SSH server), the ISO highly
recommends that you change the port from port 22 to something/anything
else. There are scripts online that malicious hackers can use against
SSH servers and the scripts always attack port 22 since most people do
not change the default port.
The ISO also highly recommends that you do not allow root logins via
Remote Login (SSH). |
| 14 |
Available tools include:
|
| 15 |
Download and install Norton AntiVirus from BevoWare (at
no additional cost). |
| 16 |
Documentation can
be found on the ITS Web site. Norton AV AutoProtect may impact a production
OS X server's performance and may not be deemed essential to ensuring
security of the system or the network. In this case, daily or weekly
scheduled scans may be adequate. |
Reference
|
