Hardening Your Macintosh
os x security, auditing, hardening, pen-testing, privacy & more...
index / security & hardening /- security guides & tutorials - security web sites - system intergrity - hardening - forensics -
security guides, presentations & tutorials:
Angelo Laub's slides from his presentation "Mac OS X Insecurity" at the 21C3 congress.
Also his paper entitled Mac OS X Insecurity is available.
Paul Day has released a detailed and concise paper and slides titled "Securing Mac OS X".
The U.S. National Security Agency (NSA) guide to securing the OS X Operating System.
Mac OS 10.3 Server Security by Charles Edge (krypted) - DefCon 12 presentation August 2004
OSX Server Security.ppt - .pdf version
A Corsaire White Paper: Securing Mac OS X by Stephen de Vries - June 2004 - A thorough new security & hardening tutorial
Macintosh OS X.3 Panther Benchmark Security Document (Draft) March 2004 -
Mac OS X Security Framework by Leon Towns-von Stauber, from the Seattle SAGE Group, February 2004
Intro to Mac OS X: 5 Security by Marius Schamschula -
Locking Down Mac OS X by Jay Beale from Black Hat 2003 -
Mac OS X System Hardening Policy - July 1, 2003 Version 1.0
Mac OS X 10.2 Benchmark v1.3.4 (Darwin 6.x)
Mac Security by Leon Towns-von Stauber, from the O'Reilly Mac OS X Conference 2002 -
Macintosh OS X Vulnerabilities and Intrusion Detection by Dan Jensen - Sept. 2002 -
Practical Security Techniques for Macintosh OS X Laptop Users by David H Hickman - August 13, 2002
SANS Mac Reading Room - Several papers
Mac OS X Security by Rick Hill, Jackie Simmons, Paul Waterstraat - An older OS X security notes.
OS X Client Management by Jackie Simmons - Client Security for OSX Labs
Securing Mac OS X by Simon Edwards -
security web sites:
Apple Security Updates
Source of some great osx projects and information
Utah.edu's great osx security resource
Good archive of info. Unfortunately this site is getting more and more out of date.
Known Good Lists: List of MD5 hashes for exexecutables in Mac OS X. Use it find out if that funky acting executable is a trojan, or just user error.
kg-report - This set of scripts will generate plain text reports based off of the data available from knowngoods.org
ctool is a small application that computes MD5 and SHA-1 checksums, mindful of the segments that contain prebinding information stored in Mach-o executable files.
CheckMate by Brian Hill - An osx preference pane that verifies checksums of specified items.
personalpages.tds.net/~brian_hill - 1.03b versionis needed for osx 10.3.x
Advanced CheckMate file list - This is a much more complete list of files for CheckMate to checksum and verify. To use this you should replace you current plist at /Library/Preferences/SystemConfiguration/ with this one and then Generate new checksums for the list.
Osiris by the Shmoo Group - Osiris is a file integrity management system that periodically monitors one or more hosts for change. It maintains detailed logs of file system changes and can be configured to email these logs to the administrator.
Tripwire - Tripwire establishes a baseline 'snapshot' of your file system (recording file system properties - owner, permissions, modify time, content hashes, etc) and stores this information in a secured database. When an integrity check is run, it gathers the same information on the same files and looks for any differences. Any deviations are written to a report file and (optionally) emailed to whoever you specify.
sourceforge.net/projects/tripwire - tripwire patches for osx - osx tarball - Compiling tripwire from source
yafic by Allan Saddi - yet anbother file integrity checker - Similar to Tripwire. yafic, however, is fast, simple, and yet flexible. Config files are similar to Tripwire's, even supporting flag templates. It uses SHA-1 as its hash function.
www.philosophysw.com/software/yafic/ - sourceforge.net/projects/yafic - avialable via darwinports
www.geocities.com/fcheck2000/fcheck.html - Using fcheck on osx
radmind - A suite of Unix command-line tools and a server designed to remotely administer the file systems of multiple Unix machines. For Mac OS X, there's also a graphical interface. At its core, radmind operates as a tripwire. It is able to detect changes to any managed filesystem object, e.g. files, directories, links, etc. However, radmind goes further than just integrity checking: once a change is detected, radmind can optionally reverse the change.
samhain by Rainer Wichmann - Samhain is a file system integrity and intrusion detection tool that allows to trace what changes have occured on a file system, when these changes have occured, and who was logged into the system at the respective time. samhain is designed for intuitive configuration and tamper-resistance.
aide by Rami Lehti and Pablo Virolainen - Advanced Intrusion Detection Environment - Is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) that are used to check the integrity of the file.
Sourceforge project home
rkhunter - Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It runs well on OS X, although not all options are currently enabled.
Chroot ssh user account by Masaki Ogawa - english japanese
Encrypted Swap on Mac OS X 10.3 (Panther) - This method uses an encrypted disk image for the swap files. I have only started testing it and have yet to have any problems so far.
EncryptedSwap 0.2.1 (2004-08-05)
Turning off the SWAP in OS X - OS X saves passwords (File Vault, login, KeyChain) in pain text vm swap files that can be recovered and searched via grep either by an administrator or with physical access.
original bugtraq post - another bugtraq post
Systrace - Systrace enforces system call policies for applications by constraining the application's access to the system. The policy is generated interactively. Operations not covered by the policy raise an alarm and allow an user to refine the currently configured policy.
not currently working under 10.3.x
http://www.citi.umich.edu/u/provos/systrace/macosx.html - available via darwinports
Bastille for OS X by Jay Beale- not currently working on 10.3.x yet
CIS OSX Benchmark Tool by Jerome Holman - The CIS Benchmark is a tool created by the Center for Internet Security that brings together the essential security configurations and settings used amongst a large group of information technology (IT) organizations, information security professionals and auditors in the industry into a single tool that can be run on a client platform to determine whether or not a system is configured in a manner that would be considered best practice security for computers connected to the Internet.
filebox.vt.edu/users/jeholman/pages/cis.html - Sourceforge project home CIS Benchmark 1.35 CLI version - CIS Bechmark GUI Cocoa front-end
nipatch - Fix permissions to deny access to the casual systems cracker for Netinfo Databases and Tools.
Moving the swapfile in Mac OS X 10.3 (Panther) -
wipe-swapdisk 0.5 - Secure deletion of free swap disk space
Maximillian Dornseif over at RedTeam has released some patches to compile various forensic tools on the mac:
dd_rescue-1.10-mac.patch - foremost-0.69-mac.patch - gpart-0.1h-mac.patch - md5deep-1.5-mac.patch
He's also done some work on getting socat working via darwinports - dports-dev
Derrick Donnelly, CTO, BlackBag Technologies presented a session entitled "Open Source Digital Forensic Acquisition and Analysis on Mac OS X" at the recent Oreilly Mac OS X Conference.
Download presentation pdf
Forensic Analysis of a System OS X by Rolland Miller -
Forensic Analysis of a compromised Mac OS X (Client) Machine -
The Sleuth Kit (TSK) by Brian Carrier - A collection of command line tools based on The Coroner's Toolkit (TCT).
The Autopsy Forensic Browser by Brian Carrier - A graphical interface to the command line tools in TSK.