Hello,

I have an issue with my OSX machine. I have consistently locked down the remote desktop sharing preferences only to have the lock come undone after casual usage.

Now I realize I could be paranoid, however, I have also run root kits to try and find any issues, and they say that my remote login is enabled.

Where are the logs for this? Is there any way I can know who is remotely logging into my machine?

The computer I am on was supplied by an employer who refused to provide the root password and installer disks with the machine.

I am convinced that there is a security breach.

What can I do.

Explain this? ^

Anyhow, Things to try: Edit sudoers file. Disable/enable root user and set your preferences (lock remote desktop) from there. Now a bit more invasive; boot single user, use .SetupDone to make admin user if needed. All logs can be viewed via the console. If the remote-sharing box is unchecked chances are your ok. Install outbound/inbound firwalls or sentry. ipnetsentry is boss. Yea. That should do it.

-Digitol-

Sorry...

it should have read... "I have also run root kit detectors. to try and find any issues "

In any event... I have downloaded and installed Fyling Butress. Man I was amazed at how often Google down in California felt the need to ping me...

I will look into ipsentry. I have looked into the sudoers file as well but I couldn;t really make sense of it and will have to look into it again.

What I am really interested in is figuring out where the "Login" or "Remote access log is".

I am systematically trying to find all the possible entry points to the system and I have recently discovered you can even grant remote access with LDAP which I am not even sure if a firewall would block. Then there is UUCP (unix to unix copy) which is another one I am concerned about.

Will a firewall block these and will the sudoers file show if these items are active and running or a threat.

In addition I have looked into TripWire but I am rusty on compiling my own applications. Not sure if it is worth it or if there is something better yet. I have looked into this specific application because some of my permissions are changing on my files and I want to know why. I think Tripwire might be a little over my head at this point.

I also managed to disable root access... but I have another concern with actually finding all the users on the system. Specifically ones which require no password to get access or anoymous users. I can't figure out where the file is which lists them all. I am sorry if this seems stupid. I haven't used a mac for quite a few years now.


To be specific... My Remote Sharing preferences where casually unlocking nearly every day. When I installed Flying Butress. The lock came off once and it has never come off again. To be very speculative and paranoid. That sounds to me like flying butress may have prevented some sort of monitoring system from watching my machine and then perhaps, the "remote admin" came back into machine and changed something again... Since after the firewall installation I found a problem while running a root kit detector. It said the UUCP user on my machine had changed. I don't know how to monitor UUCP. In addition, the flying butress is currently blocking alot of stealth connections. These are harmless correct?

or you could just go to system pref's then on the first tab 'General' put a tick in the box - 'require password to unlock each system preferences pane'.

__________________
I Do Not Condone Piracy, If You Like It BUY IT! - It's Ok To Test But Not Steal - MacBook Pro Owner

iPhone Owner 3G

That's what I did and it still came unlocked. That's why I am worried about where the users file is and how I can monitor exactly who is remotely connecting. I am worried that perhaps a UUCP or LDAP connection or something which would slip by the firewall could be in use...

Or even maybe I just have an account somewhere which requires no password.

Remember this is an employer who handed me this machine without the disks and they had all the time in the world to set it up however they wanted. I have changed my password... I am just worried there are other accounts, programs or even some strange anonymous user with some sort of stealth connection has access...

I am asking these questions because I don't know. And the more I look... BSD seems to have a lot of possibilities... and Mac OS seems to have changed things around enough that there is so little documentation floating around to make deciphering it very hard...

http://images.apple.com/support/secu...fig_2nd_Ed.pdf

__________________
I Do Not Condone Piracy, If You Like It BUY IT! - It's Ok To Test But Not Steal - MacBook Pro Owner

iPhone Owner 3G

Operating Systems - NSA/CSS - Props to Sam

__________________
I Do Not Condone Piracy, If You Like It BUY IT! - It's Ok To Test But Not Steal - MacBook Pro Owner

iPhone Owner 3G

That's looks like what I was having trouble finding... Thanks Guys...