This book is about security. Specifically, it is about understanding security issues with Mac OS X. From the basic framework of the operating system, to host-based security, to integration into an enterprise network, this book covers it all.
Mac OS X is a powerful operating system. It contains new security features that go above and beyond previous versions of Mac OS. There are keychains to store passwords. Disk volumes can be encrypted so other users cannot read your data. Permissions on files and directories can be controlled on a user and group basis. It is interoperable with more industry standards and operating systems than previous versions of Mac OS ever aspired to. With NetInfo, large-scale users and resource management is reality. Mac OS X systems can be integrated into enterprise directory services, such as Active Directory and Apple’s own Open Directory for management of users and resources.
Mac OS X is also more dangerous to use than previous Apple operating systems if not installed and configured correctly. Without understanding how various configuration files and commands alter the state of the machine, a user can quickly break down any security barriers that existed in the default install and leave themselves open to attack.
We will not only cover the tools and security issues, but also provide practical application and configurations where needed. By the end of this book, you will understand how to defend and audit a Mac OS X installation and how to avoid common mistakes that can expose you to security risks.
We have divided this book into five major parts. In the following sections, we provide a brief overview of each part that makes up this book.
Part I begins with an overview of security and the fundamentals of Mac OS X security. Chapter 1, “Security Foundations,” covers some basic risks and the user/group model. Chapter 2, “Installation,” highlights the issues surrounding various installations of the operating system, including guides for both the client and server versions of Mac OS X.
Part II focuses on Mac OS X on the workstation. When used as a workstation, Mac OS X has specific security considerations that need to be addressed on a per-user and per-application basis. Chapter 3, “Mac OS X Client General Security Practices,” covers general practices, such as dual booting and patching the operating system. Chapter 4, “What Is This UNIX Thing?,” introduces the UNIX-layer by detailing file permissions and the security risks associated with a UNIX operating system. Many applications that ship with Mac OS X have their own particular security domains. Chapter 5, “User Applications,” covers application-level security, including risks and solutions for securing commonly used applications.
Along with the powerful UNIX underpinnings comes a host of new networking capabilities. These are addressed in Part III. Chapter 6, “Internet Services,” explores the major facets of Mac OS X’s network services, their peculiarities, and how they can be deployed in a secure fashion. Chapter 7, “File Sharing,” deals with issues related to file sharing, including NFS, AFS, SMB, and WebDAV services. Chapter 8, “Network Services,” focuses on the tools and configuration options that can be used to defend a Mac OS X system from network attacks and reduce network vulnerabilities. This includes topics such as VPNs, firewalls, and wireless security.
Part IV of this book addresses Mac OS X security on a larger scale. Apple is positioning Mac OS X Server as the keystone in their enterprise architecture. Maintaining an enterprise full of workstations and servers can be a daunting task. This section covers the security issues that administrators encounter when using Mac OS X Server as the core of their infrastructure. Chapter 9, “Enterprise Host Configuration,” includes Kerberos Integration, Rendezvous, and WebDAV management. Chapter 10, “Directory Services,” explores Mac OS X’s capability to integrate into enterprise directory services. The three directory services covered in this chapter are Active Directory, Open Directory, and NetInfo.
Part V deals primarily with verifying the integrity of a Mac OS X-based infrastructure, and what to do when a system is compromised. No matter how secure a Mac OS X installation is, it may be broken into over time. Without understanding how to audit hosts and respond to attacks, all the previous sections in this book are near useless. Auditing tends to be forgotten in the realm of computer security. Chapter 11, “Auditing,” explains the built in logging facilities of Mac OS X, how to set up logging correctly, and how to monitor logs. Chapter 12, “Forensics,” explores forensic solutions for Mac OS X. This includes host integrity management and post-mortem analysis tools. Finally, Chapter 13, “Incident Response,” covers incident recognition, response, and prevention issues from both a user and an administrative perspective.
For information that did not fit well in any of the chapters, we have provided appendixes: Appendix A, “SUID and SGID Files,” Appendix B, “Common Data Security Architecture,” and Appendix C, “Further Reading.”
This book is aimed at intermediate to advanced Mac OS X users. It was our goal to make this book something that anyone from a home user to an administrator would find valuable.
We assume the reader has a working knowledge of Mac OS X. Due to the technical variety of this audience, some of the material assumes a knowledge of basic UNIX commands. For readers new to UNIX, we recommend the book Learning UNIX for Mac OS X, 2nd Edition, by Dave Taylor and Brian Jepson (O’Reilly & Associates).
Mac OS X Security may also be of interest to advanced users of other operating systems such as Windows or Linux, system administrators, and security administrators. Due to the UNIX core, Mac OS X is now a viable option to deploy in large-scale desktop and server environments. Administrators need to understand the innermost details of the operating system to be able to secure hundreds of hosts at a time.
Additionally, we have set up a web site containing resources and information that was not practical to include in this book. This site also contains updated information, an errata listing, links to applications, and references related to the material mentioned throughout the text. Check it out at
http://www.macsecurity.org/osx-book
Send email to
We’ve designed Mac OS X Security to be easy to use. One thing we’d like to point out is the use of code continuation characters in code lines. When code lines wrap to a second or third line, you will see a at the end of the first line, and -> at the beginning of the runover lines:
bash-2.05a$ sudo osiris -f /var/db/osiris/configs/daily.conf -o /var/db/osiris/base.osi bash-2.05a$ mactime -z MST7MDT -b seizure-copy1.mac > seizure-copy1.timeline