Mac OS X Security Checklist

Introduction

Although OS X is fairly secure straight out of the box, its FreeBSD underpinnings give you a great deal of added control over security settings. In fact, the more comfortable you are with Unix system administration, the more effective you will be as an OS X administrator.

Note that this list is designed to be used in conjunction with the basic security checklist (Securing Your Mac OS X System) and merely scratches the surface of advanced OS X system security. In addition, many of these security suggestions are, in a sense, optional. Some will merely provide extra information, while others are simply too strict to use on some systems. You must evaluate each suggestion, and decide for yourself whether it is applicable to your computing environment.

Advanced steps

• Set password restrictions: Mac OS X client has limited strong password enforcement, making it essential that you use the pwpolicy command to set the few possible options. Benchmark settings are minimum of 9 characters (minChars=9), require numerals (requiresNumeric=1), require alphabetic characters (requiresAlpha=1), five login attempts (maxFailedLoginAttempts=5), no maximum password length (maxChars=0), and the password cannot be the same as the username (passwordCannotBeName=1).
• Set default umask: The default OS X umask is 022, meaning that all newly created files are world readable. The global umask can be changed to 027 by adding the following lines to /Library/Preferences/.GlobalPreferences.plist <key>NSUmask</key>
<integer>23</integer> Note that this file uses decimal notation, not the standard Unix octal. If you wish to change the umask to 077, use 63 between the integer tags instead of 23.
• Restrict root access: Do not allow remote root logins. This forces all root users to log in via their own accounts, simultaneously reducing external security risks and leaving a record of root access.
• Set login warning banner: Login warning banners are key to prosecuting unauthorized users. If you choose to set a login warning banner, check with your legal department for help with the wording.
• Enable Open Firmware password: An Open Firmware password will limit unauthorized access to boot options, such as the boot device (e.g., network, CDROM, target disk mode), Startup Manager, and PRAM reset, greatly enhancing your machine's physical security. Open Firmware password protection is available for all systems running Open Firmware version 4.1.7 or later. Use the System Profiler to check your Open Firmware version.
• Store log files offsite: Because log files are frequently modified or deleted during a security incident, it is highly recommended that you copy your logs to an offsite location several times per day. This can be as simple as using a third-party log parsing program to email your logs to you. Although an intruder can still delete the logs before they are mailed, you stand a much greater chance of noticing irregularities if you review your logs on a regular basis.
• Enable AUTH logging: AUTH Logging: Enabling AUTH logging provides you with a great deal of security information, such as su attempts, failed logins, and root logins. To enable AUTH logging, open /etc/syslog.conf , and replace the line authpriv.*;remoteauth.debug     /var/log/secure.log with auth,authpriv.*;remoteauth.debug     /var/log/secure.log and restart syslogd .
• Enable Process Accounting: Process accounting tracks commands executed by users. The logs can be accessed using the lastcomm command, and will include process name, user name, and timing information. Process accounting is particularly useful in tracking root usage and suspected security incidents. To enable process accounting, create the file /var/account/acct and execute the following command sudo /System/Library/StartupItems/Accounting/Accounting start
• Configure /etc/hostconfig: The /etc/hostconfig file is critical to OS X system configuration, and contains several security-related settings. Note that the System Preferences application should not be open while you are editing /etc/hostconfig from the command line, as some System Preferences panes can affect /etc/hostconfig .