Locking down Mac OS X

Ok, I recently have been given the opportunity to play around with a new MacBook Pro 15″ laptop (Mac OS X 10.4 – Tiger). So far I’m impressed, clean easy to use user interface with a nice Unix/BSD system underneath. In the process of getting it set up, I did go through and take care of some security issues to make sure I was happy. Some of these are obvious, some less so:

I. Click on the Apple Icon on the top left and select System Preferences

1. Click on Security
a. Set a master Password, and don’t forget it, this is used to recover lost accounts and such.
b. Turn on FileVault, this is a great security item, but will slow down your computer and could make crash recovery harder. I haven’t done this one yet.
c. Check require password to wake computer.
d. Check Disable Auto Login, don’t make it easier for someone who steals your laptop, it can happen.
e. Check Require password to unlock secure system preferences, this will help against trojans and such that could attack MacOSx.
f. Check user secure virtual memory, this is mostly for a multiple user system. I haven’t done this yet myself.
g. Check disable remote control infrared receiver, less critical, but if you aren’t using, why enable it?

2. Click on Bluetooth
a. Disable Discoverable, you don’t need to advertise that you are a possible hacking target. Most bluetooth devices you use don’t require your desktop to be discoverable. Only when you are trying to send files and such to the desktop for the first time with a device does this need to be enabled. After a pairing trust is setup you don’t need this enabled again for that device.

3. Click on Network
a. Select Airport and then options, then check Require admin password for Computer-to-Computer networks. There have been attacks in the past where machines (in that case, Windows) were able to create a computer-to-computer network while sitting in the airport without the need for the users’ intervention. It’s best to set this option just to make sure it doesn’t happen without your express consent.

4. Click on Sharing
a. Turn on “Remote Login” this turns on the ssh daemon so you can ssh into your box like you normally do with linux.
b. Choose Firewall and turn it on. By default, it seems MacOSX doesn’t turn on its firewall. I personally prefer to have it up and running. You can then enable different remote services though the firewall below that. I enabled Remote Login – SSH, iChat, and Network time.
c. Under Firewall Advanced, enable Block UDP Traffic and Stealth Mode. So far, neither of these have blocked traffic such as iChat Video/Sound or anything else, so better to block unwanted traffic.

5. Click on Startup Disk
a. Make sure that the lock icon on the bottom is selected. Unless you are reinstalling your base OS, no reason to have this easily changed.

Those are the preference you can change via gui. Here are some to change via command line Terminal:

II. Start Terminal, you can find this by clicking on the search tool (magnifying glass in the top right corner) and using the term terminal.

1. Set a root password. There is a root user on MacOSX, and by default it’s disabled from normal use. But I’m paranoid, so unless I know the root password I don’t like it. You can set it by using the command “sudo passwd root” which will then ask you for the new root password. You may want to set this to the same as the masterpassword. I’m not positive, but they may be linked, I haven’t researched it that far yet. Warning, this will enable the root user account. I still prefer having the password set to something I know vs being blank and disabled. Consider this optional and your preference.

2. If you’re using SSHD for remote login, make it more secure. Using “sudo vi /etc/sshd_config” set “Protocol 2″, “PermitRootLogin no”, and “AllowUsers username” to your “username” for your main account if you only want that account to ever be able to SSH into your Mac. This is very important if you enable the root account like I did in step 1.

3. Double check the sudoers file. By default, it’s set up pretty well, only root and admin users can use sudo (which means do anything as admin/root all powerful user). You might want to double check it to make sure “sudo vi /etc/sudoers”.

4. Change your users directory permission. By default, your new users directory is readable by any user on your computer. Though there may not be another user on your computer, it’s best to change that to only be accessible by you. In the terminal you could type in “cd ..” which will put you in the /Users folder. Type ls -l will give you a list of users, most likely just a Shared and your username. Then issue the command “chmod 750 username” username being your actual username. This will give you full control over your directory, but no other users besides root has access full access and admin users have read access. I would go with chmod 700 to block other admin users, but I don’t know about Mac OSX enough and what other system level problems that might cause with software daemons running.

Well that’s what I found, if you know something I missed, or a mistake I made please let me know. So far I haven’t found anything impaired by these settings for normal day-to-day use, but I’m only starting to play with Mac OS X.

About D-Caf

I'm a computer geek, what more is there to say?
This entry was posted in David, Mac OS X, Security, Technology. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *