Home Page Icon
Home Page
Table of Contents for
II. System Security
Close
II. System Security
by Brian Wotring, Preston Norvell, Bruce Potter
Mac® OS X Security
Copyright
Dedication
About the Authors
About the Technical Reviewers
Acknowledgments
Tell Us What You Think
Introduction
Organization and Content
Part I: The Basics
Part II: System Security
Part III: Network Security
Part IV: Enterprise Security
Part V: Auditing and Forensics
Part VI: Appendixes
Target Audience
Code Convention Used in This Book
I. The Basics
1. Security Foundations
The Basics
Threats and Risk
Common Misconceptions
The Nature of Attacks
Understanding the Technology
The Tools
Darwin
The Command Line
UNIX Security
Users and Groups
Types of Users
Root, the Super-User
Understanding User Roles
Administrative Users
Special Users
Special Groups
Introducing NetInfo
NetInfo Security
Summary
2. Installation
To BSD or Not to BSD
Filesystems—HFS+ Versus UFS
A Tale of Two Filesystems
Security Considerations
Mac OS X Install Step-by-Step
Physical Setup
Beginning the Installation
Choosing and Partitioning the Disk
Customizing the Install
The Setup Assistant (Mac OS X Client)
The Setup Assistant (Mac OS X Server)
Developer Tools
Summary
II. System Security
3. Mac OS X Client General Security Practices
Concerns About Physical Access
Doors, Locks, and Guards
Open Firmware Password
Login Window
Screen Locking
System Preferences Locking
Dual Booting and the Classic Environment
Classic and Mac OS 9
Dual Booting Dangers
Staying Current with Mac OS X
User Accounts and Access Control
Filesystem Encryption
Summary
4. What Is This UNIX Thing?
The Command Line Interface
Command Line Access
Command Line Security
Directories, Permissions, and File Ownership
File Security and Permissions
Special File Permissions
Set User ID
Set Group ID
Sticky Bits
Hidden File Flags
How to Modify Permissions and Ownership
Using chmod
Using chown and chgrp
Using chflags
Using Get Info to Modify Permissions
Common UNIX Commands
top
ps
kill and killall
last and who
find
netstat
vopenssl
UNIX Security
SUID and SGID Files
Kernel Security Levels
sudo
Managing sudo Access
sudo Versus the su Command
Summary
5. User Applications
General Application Security Considerations
Keychain
Using the Keychain Access Application
Creating a Secure Note
Managing Access to Keychain Items
The Keychain Access Dialog
Is the Keychain Safe?
Mail.app Security
Using SSL to Send and Receive Mail
Using SSH to Send and Receive Mail
Keeping Mail Off the Server
Storing Mail on an Encrypted Disk
Using PGP to Encrypt Email
Using PGP with Mail.app
Storing PGP Keys on an Encrypted Volume
Using GnuPG to Encrypt Email
Download, Build, and Install GnuPG
Using GnuPG with Mail.app
Storing GnuPG Keys On an Encrypted Volume
Web Browser Security Issues
Web Browsing and SSL
Cookie and Cache Management
Is Accepting Cookies from Strangers Dangerous?
Web Browser Cookie Configuration
Web Browser Cache Configuration
Summary
III. Network Security
6. Internet Services
Web Services
Mac OS X Configuration Oddities
General Security Considerations
Running Apache on a Non-privileged Port
Putting Apache in a Jail
Configuring Authenticated Access
SSL
Enabling SSL with Apache
Email Services
Sendmail
MailService
Enabling SSL Encryption for MailService
FTP
Remote Login (SSH)
Security Considerations
Server Configuration
Client Configuration
SSH Tunnels
Remote Apple Events
Security Considerations
Xinetd
Configuring xinetd in Mac OS X
The defaults Entry
Service Entries
...And one more thing...
Summary
7. File Sharing
WebDAV Services
Security Considerations
Setting Up Secure WebDAV Services on Mac OS X
Modifying the Apache Config
Creating the Lock File
Setting Up and Securing Locations
Setting Access Passwords
Additional WebDAV Options
Apple File Services
AFS Security Model
Configuring AFS Via Server Settings
Configuring AFS Via Workgroup Manager
SMB File Services
SMB Security Models
Configuration Through Server Settings
Configuration Through Workgroup Manager
Configuration Through Terminal
IP Access Control
Veto Files
Logging
Network File System
NFS Structure
Configuring NFS Through Server Settings
Configuring NFS Through Workgroup Manager
Configuring NFS Through Terminal
Re-Exporting Via AFS
Personal File Sharing
Making Secure AFS Connections
Summary
8. Network Services
Firewalling
Using Built-in Tools
Mac OS X Client
Mac OS X Server
Manually Configuring the Firewall
Kernel Configuration
Alternatives to Apple
VPN
IPSec
Under the Hood
racoon
PPTP
PPTP Via Internet Connect
vpnd
AirPort Security
Configuring WEP
Using LEAP
Static ARP
Software Base Station
Antivirus Protection
Common Sense
Unknown Documents
Preview Panes and Embedded Objects
Network Shares
Antivirus Software
Summary
IV. Enterprise Security
9. Enterprise Host Configuration
Login Window
Changing the Login Window Graphic
Adding a Login Banner
Using Kerberos Authentication
Kerberos
Integrating Mac OS X Clients into a Kerberos Environment
Using Kerberized Services on Mac OS X Server
Security Issues with Kerberos and Mac OS X Services
Rendezvous
Rendezvous Security
Summary
10. Directory Services
Yet Another “The Basics”
NetInfo
Authentication
Authorization
The _writers* Property
The trusted_networks Property
Data Privacy
Open Directory
Connecting Mac OS X to an Open Directory Server
Authentication
Authorization
Data Privacy
More Fun with Directory Access
AppleTalk
BSD Configuration Files
LDAPv2
LDAPv3
NetInfo
Rendezvous
SLP
SMB
Summary
V. Auditing and Forensics
11. Auditing
The Importance of Logging
General Considerations
The Importance of Time
Permissions and Access
Log Rotation
Log Archives and Secure Storage
Logging Options and Configuration
Syslog
Isolating SSH Messages
Isolating sudo Messages
Isolating xinetd Server Messages
Logging Network Services
AFS
FTP
Windows File Sharing (SMB/CIFS)
Print Services
Mail Services
Apache
DNS
DHCP and SLP
QuickTime Streaming Server
Software Update
DirectoryService
Watchdog
CrashReporter
Monitoring Logs
The Basics
Routine Audits
Command Line Tools
Automated Monitoring and Notification with swatch
Installing swatch
swatch Configuration
Log Location Reference
Summary
12. Forensics
An Overview of Computer Forensics
Acquisition
Analysis
Osiris
General Security Considerations
Installing Osiris
Configuring and Automating Osiris
Using Osiris to Monitor SUID Files
Using scale
Forensic Analysis with TASK
Overview of TASK
Getting the Data
Analysis with TASK
Analyzing the Filesystem
Looking at Timestamps
Summary
13. Incident Response
What Does Incident Response Mean to You?
Incident Response Life Cycle
Preparation
Asset Identification
Escalation Procedures
Chain of Custody
Technical Procedure
Detection
Accurate Assessment
Quick and Fully Contained Response
Feedback
Detection and Assessment
Minimizing Change
Point Person
Response
Isolating the System
Backing Up the System
Vulnerability Assessment and Mitigation
System and Service Restoration
Postmortem
Summary
VI. Appendixes
A. SUID and SGID Files
SUID Files
SGID Files
B. Common Data Security Architecture
Benefits of the CDSA
CDSA Structural Overview
Add-in Modules
Common Security Services Manager (CSSM)
Security Services
Apple’s CDSA Security Services
A Note to Developers
C. Further Reading
Chapter 1—Security Foundations
Chapter 2—Installation
Chapter 3—Mac OS X Client General Security Practices
Chapter 4—What Is This UNIX Thing?
Chapter 5—User Applications
Chapter 6—Internet Services
Chapter 7—File Sharing
Chapter 8—Network Services
Chapter 9—Enterprise Host Configuration
Chapter 10—Directory Services
Chapter 11—Auditing
Chapter 12—Forensics
Chapter 13—Incident Response
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
2. Installation
Next
Next Chapter
3. Mac OS X Client General Security Practices
Part II. System Security
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset