index / security & hardening /

- security guides & tutorials - security web sites - system intergrity - hardening - forensics -

security guides, presentations & tutorials:

Angelo Laub's slides from his presentation "Mac OS X Insecurity" at the 21C3 congress.
Also his paper entitled Mac OS X Insecurity is available.

Paul Day has released a detailed and concise paper and slides titled "Securing Mac OS X".

The U.S. National Security Agency (NSA) guide to securing the OS X Operating System.
NSA download

Mac OS 10.3 Server Security by Charles Edge (krypted) - DefCon 12 presentation August 2004
OSX Server Security.ppt - .pdf version

A Corsaire White Paper: Securing Mac OS X by Stephen de Vries - June 2004 - A thorough new security & hardening tutorial
www.corsaire.com/white-papers/040622-securing-mac-os-x.pdf

Macintosh OS X.3 Panther Benchmark Security Document (Draft) March 2004 -
CIS-OSX-draft.pdf

Mac OS X Security Framework by Leon Towns-von Stauber, from the Seattle SAGE Group, February 2004
www.occam.com/osx/OSX_SecFmwk.pdf

Intro to Mac OS X: 5 Security by Marius Schamschula -
www.hmug.org/Pres/X_Secure/X_Secure.pdf

Locking Down Mac OS X by Jay Beale from Black Hat 2003 -
www.blackhat.com/presentations/bh-usa-03/bh-us-03-beale.pdf

Mac OS X System Hardening Policy - July 1, 2003 Version 1.0
oit.utk.edu/infosec/wwwDoc/MacOSXhardening_7-1-03.pdf

Mac OS X 10.2 Benchmark v1.3.4 (Darwin 6.x)
BenchmarkGuide.pdf

Mac Security by Leon Towns-von Stauber, from the O'Reilly Mac OS X Conference 2002 -
conferences.oreillynet.com/presentations/macosx02/towns_leon.pdf

Macintosh OS X Vulnerabilities and Intrusion Detection by Dan Jensen - Sept. 2002 -
www.kaweah.com/Research/OSXSecurity.pdf

Practical Security Techniques for Macintosh OS X Laptop Users by David H Hickman - August 13, 2002
www.giac.org/practical/David_Hickman_GSEC.doc

SANS Mac Reading Room - Several papers
www.sans.org/rr/catindex.php?cat_id=34

Mac OS X Security by Rick Hill, Jackie Simmons, Paul Waterstraat - An older OS X security notes.
security.ucdavis.edu/MacOSXSecPaulAnnot.pdf

OS X Client Management by Jackie Simmons - Client Security for OSX Labs
security.ucdavis.edu/MacOSXSecurityJS.pdf

Securing Mac OS X by Simon Edwards -
www.psiborg.net/transceiver/txt/osx.html

security web sites:

Apple Security Updates
docs.info.apple.com/article.html?artnum=61798

Source of some great osx projects and information
www.macsecurity.org

Utah.edu's great osx security resource
www.macos.utah.edu/Documentation/macosx/security/security.html

Good archive of info. Unfortunately this site is getting more and more out of date.
www.securemac.com

system intergrity:

Known Good Lists: List of MD5 hashes for exexecutables in Mac OS X. Use it find out if that funky acting executable is a trojan, or just user error.
www.knowngoods.org

kg-report - This set of scripts will generate plain text reports based off of the data available from knowngoods.org
sourceforge.net/projects/kg-report

ctool is a small application that computes MD5 and SHA-1 checksums, mindful of the segments that contain prebinding information stored in Mach-o executable files.
ctool

CheckMate by Brian Hill - An osx preference pane that verifies checksums of specified items.
personalpages.tds.net/~brian_hill - 1.03b versionis needed for osx 10.3.x

Advanced CheckMate file list - This is a much more complete list of files for CheckMate to checksum and verify. To use this you should replace you current plist at /Library/Preferences/SystemConfiguration/ with this one and then Generate new checksums for the list.
com.brianhill.checkmate

Osiris by the Shmoo Group - Osiris is a file integrity management system that periodically monitors one or more hosts for change. It maintains detailed logs of file system changes and can be configured to email these logs to the administrator.
osiris.shmoo.com

Tripwire - Tripwire establishes a baseline 'snapshot' of your file system (recording file system properties - owner, permissions, modify time, content hashes, etc) and stores this information in a secured database. When an integrity check is run, it gathers the same information on the same files and looks for any differences. Any deviations are written to a report file and (optionally) emailed to whoever you specify.
sourceforge.net/projects/tripwire - tripwire patches for osx - osx tarball - Compiling tripwire from source

yafic by Allan Saddi - yet anbother file integrity checker - Similar to Tripwire. yafic, however, is fast, simple, and yet flexible. Config files are similar to Tripwire's, even supporting flag templates. It uses SHA-1 as its hash function.
www.philosophysw.com/software/yafic/ - sourceforge.net/projects/yafic - avialable via darwinports

fcheck -
www.geocities.com/fcheck2000/fcheck.html - Using fcheck on osx

radmind - A suite of Unix command-line tools and a server designed to remotely administer the file systems of multiple Unix machines. For Mac OS X, there's also a graphical interface. At its core, radmind operates as a tripwire. It is able to detect changes to any managed filesystem object, e.g. files, directories, links, etc. However, radmind goes further than just integrity checking: once a change is detected, radmind can optionally reverse the change.
rsug.itd.umich.edu/software/radmind/macosx.html

samhain by Rainer Wichmann - Samhain is a file system integrity and intrusion detection tool that allows to trace what changes have occured on a file system, when these changes have occured, and who was logged into the system at the respective time. samhain is designed for intuitive configuration and tamper-resistance.
samhain.sourceforge.net/surround.html?main_q.html&2

aide by Rami Lehti and Pablo Virolainen - Advanced Intrusion Detection Environment - Is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) that are used to check the integrity of the file.
http://www.cs.tut.fi/~rammer/aide.html
Sourceforge project home

rkhunter - Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It runs well on OS X, although not all options are currently enabled.
www.rootkit.nl/

ChkRootKit_MacOSX-0.38b02 -
http://www.gouedart-lafeuille.net/software/applescript/ChkRootKit_for_MacOSX/
http://www.gouedart-lafeuille.net/software/applescript/ChkRootKit_for_MacOSX/ChkRootKit_MacOSX-0.38b02.sit

hardening:

Chroot ssh user account by Masaki Ogawa - english japanese

Encrypted Swap on Mac OS X 10.3 (Panther) - This method uses an encrypted disk image for the swap files. I have only started testing it and have yet to have any problems so far.
EncryptedSwap 0.2.1 (2004-08-05)

Turning off the SWAP in OS X - OS X saves passwords (File Vault, login, KeyChain) in pain text vm swap files that can be recovered and searched via grep either by an administrator or with physical access.
swapon_swapoff.txt
original bugtraq post - another bugtraq post

Systrace - Systrace enforces system call policies for applications by constraining the application's access to the system. The policy is generated interactively. Operations not covered by the policy raise an alarm and allow an user to refine the currently configured policy.
not currently working under 10.3.x
http://www.citi.umich.edu/u/provos/systrace/macosx.html - available via darwinports

Bastille for OS X by Jay Beale- not currently working on 10.3.x yet
http://www.bastille-linux.org/osx.html

CIS OSX Benchmark Tool by Jerome Holman - The CIS Benchmark is a tool created by the Center for Internet Security that brings together the essential security configurations and settings used amongst a large group of information technology (IT) organizations, information security professionals and auditors in the industry into a single tool that can be run on a client platform to determine whether or not a system is configured in a manner that would be considered best practice security for computers connected to the Internet.
filebox.vt.edu/users/jeholman/pages/cis.html - Sourceforge project home CIS Benchmark 1.35 CLI version - CIS Bechmark GUI Cocoa front-end

nipatch - Fix permissions to deny access to the casual systems cracker for Netinfo Databases and Tools.
ni.patch

Moving the swapfile in Mac OS X 10.3 (Panther) -
www.math.columbia.edu/~bayer/OSX/swapfile/

wipe-swapdisk 0.5 - Secure deletion of free swap disk space
wipe-swapdisk.tgz

forensics:

Maximillian Dornseif over at RedTeam has released some patches to compile various forensic tools on the mac:
dd_rescue-1.10-mac.patch - foremost-0.69-mac.patch - gpart-0.1h-mac.patch - md5deep-1.5-mac.patch
He's also done some work on getting socat working via darwinports - dports-dev

Derrick Donnelly, CTO, BlackBag Technologies presented a session entitled "Open Source Digital Forensic Acquisition and Analysis on Mac OS X" at the recent Oreilly Mac OS X Conference.
Download presentation pdf

Forensic Analysis of a System OS X by Rolland Miller -
www.giac.org/practical/Roland_Miller_GCFA.doc

Forensic Analysis of a compromised Mac OS X (Client) Machine -
http://www.afp548.com/Articles/security/postmortem.html

The Sleuth Kit (TSK) by Brian Carrier - A collection of command line tools based on The Coroner's Toolkit (TCT).
http://www.sleuthkit.org

The Autopsy Forensic Browser by Brian Carrier - A graphical interface to the command line tools in TSK.
www.sleuthkit.org/autopsy/