My next class:

The Ultimate OS X Hardening Guide Collection

Published: 2012-02-20. Last Updated: 2012-02-20 02:04:54 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Many security professionals tend to use OS X systems. Maybe for the nice and shiny looks, or the Unix under pinnings that make it a great platform to run current tools. However, the operating system itself isn't exactly "secure out of the box" and like all operating systems can profit from some additional hardening tricks. 

I have recently looked over a number of OS X hardening guides, and found that not many specifically address the latest version of OS X (Lion, 10.7), nor are they necessarily well maintained. Instead of coming up with another (soon to be outdated) guide, I am trying to come up with a "meta guide". If you know of a good hardening guide for OS X: Please let me know. Also, if there are any tricks that you find useful (or things that fired back and didn't work at all): Let me know too. 

Most notably: Apple released a guide for each version of OS X up to Snow Leopard, but I can't find one for Lion. Does it exist?

Here are some of the guides that I have sound so far:

Apple: http://www.apple.com/support/security/guides/
NSA Guide: http://www.nsa.gov/ia/_files/factsheets/macosx_hardening_tips.pdf
Mac Shadows: http://www.macshadows.com/kb/index.php?title=Hardening_Mac_OS_X
Univ. Texas: https://wikis.utexas.edu/display/ISO/Mac+OS+X+Server+Hardening+Checklist
Center for Internet Security: http://benchmarks.cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.os.unix.osx

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

7 comment(s)
My next class:

Comments

There is also the Mac OS stigs at DISA: http://iase.disa.mil/stigs/os/mac/mac.html
I haven't yet found a Lion hardening guide. What I *can* tell you is, if you have a Mac that is not on an Open Directory domain, pwpolicy no longer works to set password policy.
Just reading the NSA hardening guide and some of those recommendations are pretty extreme for a normal user. I mean, disabling all audio, Wi-Fi, Bluetooth, video cameras?? If the computer is sitting on a high security network I understand, but for a normal user it is downright ridiculous. Functionality has to enter the picture somewhere or we might as well dial the computer clock back a decade and a half and get rid of that "pesky internet" while we are at it. How about a normal non-classified material but still reasonably secure guide?
Yes the NSA guy is pretty extreme for normal users.

This one can be added to the list.
http://www.safegadget.com/30/free-security-how-to-computer-security-computer-protection-on-macintosh/
Apple moves so fast with their operating systems that it's almost impossible for the security community to keep up. Apple's own security guides are the definitive resource, and the NSA PDF is just a small subset of what Apple's guide contains. Part of the reason Apple hasn't released the Lion security guide yet is because it gets vetted by NSA/DISA and the like, which is a time-consuming process. For supplemental material, Apple's Common Criteria admin guide is a little out of date but definitely worth a read at https://ssl.apple.com/support/security/commoncriteria/CommonCriteriaAdminGuide.pdf. Don't install the tools on 10.6 or newer.
I agree that the majority of hardening guides are far too restrictive (and overkill) for 90% of normal users. My guide (which I think is going to be added above soon), is aimed at helping normal users lock down their Mac OS X install, without having to fiddle with low-level system settings.

http://www.securitygeneration.com/leopard/

It's currently up to date for Snow Leopard. I plan on updating this for Lion (or maybe go straight for Mountain Lion) soon.
Great guide, tons of excellent info.

And for an in-depth <a href="http://www.htchd2android.com">HTC HD2 Android Install Guide</a>, this is your source.

Diary Archives