EDIT: As I have mentioned to some people, I am a software developer and I am interested in starting a software company from the ranks of the OSx86 community. Part of this software may include some OS X security products. I am not also planning to an OS X security guide based on what I have started in this thread.

I have now attached the first draft of my "Xtreme OS X Security" guide (which is just this thread) here. I plan to slowly transform this document is into a serious monograph which accompanies military grade OS X security tools. I maybe talking with the CIA's In-q-tel about financing some of this work: http://www.in-q-tel.com/



Xtreme OS X Security...

Let's start with the NSA's OS X guide: http://www.nsa.gov/snac/downloads_macX.cfm

Has anyone else seen this?

Note that this was put out by the "Systems and Network Attack Center" of the NSA.

Gee, I wonder what to make of that "attack" part...

But I am sure glad the NSA "helped" with Vista security... (no wonder Shard likes it so much).

I am going through the NSA's OS X security now and will posting anything worth noting. I have it at it before and still think that most experts here are way beyond the NSA's level of security, but it is worth looking at and I would encourage people new to OS X security to start with it. I will then cover the notes on security by Amit Singh in "Mac OS X Internals" which I have previously linked to on this board.

In the meantime, I want to note that the CIA attempts to practice "fail-safe" network security. Essentially they try to run dual networks. The high security network is internal only, it has no Internet connection. This should make it impossible to access using normal means. The CIA this up by broadcasting noise as an electromagnetic barrier to electronic eavesdropping and such. Of course, the obvious problem with the "fail-safe" approach is that it does not protect machines that must be on the Internet to operate, the transfer of data from the internal to the external network is slow and if it relies on the use of portable devices they are vulnerable to interception.

NSA OS X Security Configuration Guide notes (this guide is a little dated, it was released for Panther 10.3, but most of it appears to directly apply to Tiger 10.4):

***CHAPTER 2, Initial Installation***

- p. 10: Internet Explorer – No. Internet Explorer (IE) for the Mac OS is no
longer being developed, and while support is available now, future
security updates are not guaranteed and may not be timely. If IE is
operationally required, caution should be used. It is recommended
that IE not be used.

Amusing...

- p. 12: Registration Information
Any information entered in this screen will be stored and forwarded to Apple
when the machine is connected to the Internet. This information gathering
section of the installation process should be skipped.
To bypass this part of the process:

1. Press command-Q. This will cause the registration process to end, and the
information gathering process will be skipped.
2. In the You have not finished setting up Mac OS X dialog box, click Skip
to bypass the remaining registration and setup process.

If information had been inadvertently entered during the installation process, it
should be removed before the system is connected to a network. In Chapter 4,
“Configuring System Settings,” instructions will be given on how to delete this
information to prevent it from being automatically transmitted over a network.
Any information entered in this screen, if not deleted before the system is
connected to the Internet, will be transferred across the Internet in plaintext to
Apple. Even if the system is connected only to an internal network, and not the
Internet, registration information may be transmitted across that network in an
attempt to forward it to Apple. It is very important that no sensitive information
is entered in these screens.


Now, you will never have to go through that hassle of entering all that crap when re-installing OS X again. Just hit Command-Q.

- p.13: 3. Enter the administrator’s password in both the Password and Verify boxes.
Passwords in Mac OS X can be up to 255 characters long and contain
uppercase letters, lowercase letters, numbers, and special characters.
Choosing a password that consists of at least 12 characters, that would not be
found in a dictionary, and that contains mixed case, numbers, and special
characters is recommended. There are many references available which
describe how to choose good passwords; therefore, this guide will not go into
any further detail about choosing a password.

Here is how I generate both usernames and passwords. I grab a fat phone book ("white" pages - residential), and randomly select some names, addresses and numbers as bases for the usernames and passwords. I then randomly decomposed and recombine them in pieces which fit together in my mind (so they are easier to memorize). I also use "special" characters.

- p. 15: Downloading and Verifying Updates
The Software Update panel in the System Preferences panel might pop up to
indicate any updates available for the system. Software Update will ask if any new
downloads found should be downloaded and installed. Software Update should not
be used to automatically perform updates. Select Quit to exit Software Update, and
continue installing updates manually.

Updates can be downloaded from http://www.apple.com/support/downloads
(Figure 1) using a machine designated specifically for downloading and verifying
updates, and should be copied to a disk for installation. The download should be
done separately so that file integrity can be verified before the updates are installed.

Another resource for locating current updates for Mac OS X is the Knowledge Base
article on Apple’s website:
...

Make sure to note the SHA-1 digest for each of these files. The SHA-1 digest should
be posted on-line with the download.

Once the software updates have been downloaded from Apple they should be
checked for viruses and written to a CD. Apple also provides a SHA-1 digest for their
updates so that the integrity of the update can be verified. The SHA-1 digest should
be checked to confirm the authenticity of the updates. Check the updates using the
following steps:

1. Start the Terminal program, located in /Applications/Utilities.
2. In the Terminal window, issue the following command:
/usr/bin/openssl sha1 <full path filename>

where <full path filename> is the full path filename of the update for
which the SHA-1 digest is being checked. Repeat this for each update.
3. The pathname of the file will be displayed in the Terminal window followed by
the SHA-1 digest for that file.
4. Check the SHA-1 digest for each update against the SHA-1 digest displayed on
the Apple site. The SHA-1 digest will be displayed in the “Information and
Download” document for the update. In most cases, this will be the document
that is displayed when the link for downloading the document is clicked. If
not, search for the name of the update in the downloads section of the Apple
support page, and find the “Information and Downloads” document for the
update to obtain the SHA-1 digest.
5. The SHA-1 digest for each update should match the digest given on Apple’s
web site for that update. If it does not, the file was corrupted in some way and
a new copy should be obtained.

So, there are several issues. First of all, this now even applies to OSx86 as the lastest security updates are applicable to 10.4.8 installs. In xtreme cases, it certainly is possible for a hostile party to misdirect a security update to a trojan. Downloading from Apple directly should guard against it, hash checking can verify the correct has been received.

It is unlikely that Apple will want to cooperated in any schemes to comprise OS X.

- p. 19: Fix Disk Permissions
Permissions on files can sometimes become set incorrectly, especially during a
software installation. Incorrect permissions can cause the system to operate
incorrectly and even introduce security vulnerabilities. Fixing these permissions is
recommended after performing any software installation on Mac OS X.

So we should all know that this is an on OSx86. As of 10.4.8, I believe that Disk Utility.app is working correctly in this regard. Note that the NSA is not exactly wrong about booting off an install disk to do this, it is possible that an OS X install could be comprised so the incorrect permissions would be set by Disk Utility.app, however I really doubt they are anywhere near that level. Of course, permissions can be set manually, and the permissions being set by Disk Utility.app can be verified for sanity.

I just fixed permission on one of my OSx86 10.4.8 install and interestingly enough something odd came. I need to look into later. If anybody has anything to say about this, please speak up.

Code:

The privileges have been verified or repaired on the selected volume
Repairing permissions for “System2”
Determining correct file permissions.
parent directory ./Users/Shared/SC Info does not exist
Permissions differ on ./private/var/log/secure.log, should be -rw------- , they are -rw-r----- 
Owner and group corrected on ./private/var/log/secure.log
Permissions corrected on ./private/var/log/secure.log

Originally Posted by bofors

Here is how I generate both usernames and passwords. I grab a fat phone book ("white" pages - residential), and randomly select some names, addresses and numbers as bases for the usernames and passwords. I then randomly decomposed and recombine them in pieces which fit together in my mind (so they are easier to memorize). I also use "special" characters.

It seems ironic that a man so concerned with security would just throw his personal information around

~John Anderson
7715 Middlepointe St.
Dearborn, Michigan 48126

John Philip Anderson
215 West Newman Rd.
Okemos, Michigan 48864

I am going to discussing how to set up OS X for encrypted email usage here later, but I will be finishing with NSA's OS X security manual first and then cover some architectural detail with help from Amit Singh.