559

Appendix A Security

Xsan is Apple’s implementation of a Clustered . This means that the file system can be accessed by multiple machines concurrently. is an extension of the SCSI protocol and can be accessed through fiber optic cabling. Using Xsan, multiple Macs can simultaneously access shared storage provided over a Fibre Channel network. This allows multiple users to access data striped across a large number of physical drives (let’s just say six Promise VTrak ’ worth) as though they are one volume. Each client can access data at speeds of up to 4Gbps. Xsan is commonly used high-definition video and multiuser high-bandwidth creative environments, and it is also found in web and file-sharing farms. Xsan is based on the StorNext File System, made by Quantum. Apple and Quantum both claim interoperability between StorNext and Xsan, which means that by combining the two, it’s possibly for Macs, Windows, and many variants (including Solaris, AIX, Linux and IRIX) can share communicate and share storage in a fast Fibre Channel environment. When looking to secure Xsan, you may find that there are specific features of StorNext that you want to use. Because Xsan is based on StorNext, many of the features of StorNext are built into the Xsan but might not be available through Xsan Admin. To begin unlocking some of the hidden features of Xsan, you will need to dip into the command line. Xsan stores most of its data in /Library/Filesystems/Xsan. Configuration files are stored in the Config , and binaries are in the bin directory. The files in Config contain information about the structure of the SAN and any volumes on the SAN. The Config directory should not be world-writable, because if it is altered or deleted, the entire SAN volume could be deleted with it. The commands to control and configure Xsan are cvlabel, cvadmin, cvfsck, and cvcp. These commands are analogous to some Unix commands (and are similarly named), but they are quite specific to Xsan. Be wary of using a Unix commands in place of the Xsan- specific command. As an example, you should never, ever run fsck on an Xsan volume.

559 560 APPENDIX A: Xsan Security

Metadata In an Xsan, your Metadata is the information about where on the physical disks your files are found, how many pieces they’re in, how to assemble those pieces when a client requests a file, and which clients have those files locked for writing. Metadata should be stored on a dedicated Fibre Channel LUN (logical unit number, which each logical segmentation of a target storage device has to uniquely identify it within the target storage). It is very important that it live on a mirrored RAID set, to lessen the risk of it being lost. Xsan storage is broken down into three parts: LUN: “Logical Unit Number”. A logical grouping of drives into a single entity. Usually a RAID set, but it could be a single drive. Storage pool: A group of LUNs. Each client can write to multiple LUNs through a single storage pool. Volumes: The logical volume presented to the client. It appears as a single local drive. Metadata is then managed by a metadata controller, which determines where data will go on the SAN and keeps track of where each slice of the data resides (similar to a ). Each volume should have two metadata controllers, a primary and a secondary. While you can have multiple metadata controllers, only one is ever active (per volume) at a given time. Each SAN client requires full access to all LUNs in order to write data. The metadata is simply a pointer that tells the SAN where to write data. If any of the LUNs that make up a storage pool cannot be seen over the Fibre Channel network by a metadata controller or a client, the storage pool reports “STRIPE GROUP DOWN,” and your Xsan volume will go down. For example, if you were to unplug the cable for one target, you would likely bring an entire Xsan environment down. Therefore, physical security becomes very important with Xsan environments.

NOTE: If you are just using Xsan as a back-end file system for a number of bridgehead file servers then you can restrict access to the LUNs to only the WWNNs of the metadata controllers and file servers.

The root user of any workstation that is connected through Fibre Channel to an Xsan environment can write directly to any accessible LUNs by writing data into /dev/. A common might be /dev/rdisk4. The association between and device ID and a LUN can be found in the Xsan labels for each LUN. If you write enough arbitrary data into the metadata LUN, then you will cause a volume to become inaccessible. This can be dangerous, because once the Xsan environment is restarted, it will read an invalid amount of data about itself, and therefore be unable to mount the volume. This is a denial of service attack and a tampering attack on the SAN that can be initiated by any client system that has a valid admin/root account. This is very dangerous, and there is APPENDIX A: Xsan Security 561 no workaround for it, other than restricting access to administrative or root accounts on SAN clients.

Fibre Channel With Fibre Channel, you can cascade two switches by bonding (sometimes referred to as stacking) their backplanes with a 10GB to 20GB connection. Most environments use bonding in order to achieve very fast speeds between switches. From a security perspective, one nice feature of a stacked environment is that you can apply access controls across multiple switches.

Affinities Storage pools can be assigned an affinity. When data is moved to the affinity, space is allocated from a specific storage pool rather than in a round-robin fashion across all the storage pools. Affinity data can be restricted to specific LUNs. Access to affinities can be limited to certain groups. Data that requires a higher level of integrity can then be given an affinity or volatile data that requires speed (such as a capture scratch) can be given the fastest possible storage (ie – SAS drives running on a RAID 0-based LUN). You can use Xsan Admin to assign an affinity to a folder at the top level of a volume. However, to assign an affinity to a nested folder, use the cvmkdir command. For example: sudo /Library/Filesystems/Xsan/bin/cvmkdir -k

Permissions Xsan volumes appear, to the client, as local storage. Therefore, when a file or folder is created on a volume, POSIX permissions will be assigned it based on the umask of the client user. Ownership of the files and folders will be tracked by the UID on the local system of the user who created them. A common practice in Xsan environments is to change the default umask of the client systems to 002, which will grant read and write access to owner and group, and read-only for all others. Managing permissions using only local user accounts and POSIX permissions can be very difficult. Many administrators will use Open Directory to manage users and groups, and Access Control Lists (ACLs) to manage permissions on files. ACLs greatly simplify permissions management, and they are even more valuable when other operating systems are accessing your volume. Windows and Linux clients treat ownership and permissions differently than Macs if they are tapping in through NFS, AFP and /or SMB. When ACLs are in use, new files added to the SAN volume will have the same permissions, no matter how the specific services are configured. To enable an ACL, open Server Admin, click on Sharing and browse to the root of a volume. Click Sharing, and then Volumes, and then List. Next, click the root of an Xsan volume, and then click on the Permissions tab. Check the box for Enable ACLs on 562 APPENDIX A: Xsan Security

selected volume. Next, configure the permissions that should be in the ACL box, and then click the Save button. Data that is written to the Xsan volume will now have the permissions of the folder above it, provided the ACEs are set to inherit permissions (see Chapter 4). ACL entries can easily be added using Server Admin. This can be much easier than using the default umask.

Quotas Quotas are also an important part of Xsan. A quota is the amount of space a user can utilize on the SAN. As an administrator, you can set hard and soft quotas for every user on the Xsan. A soft quota lets the user continue to save files when they pass their quota, but they will be warned that they are over their limit. When they reach the hard quota, they will not be able to save any more data until the administrator of the SAN gives them more space, or they delete some files. When users near their quotas, they will be alerted.

Other SAN Solutions Xsan is a fast and fairly straightforward SAN product. It does not provide any capability for backup or snapshots, it is not as fault tolerant as it could be, and it is a little too latent for certain applications (such as Pro Tools by Digidesign). Other providers of SAN solutions include EMC, NetApp, and LeftHand Networks (a division of HP). These products can be made to work with the Mac OS X platform, although many do not work without using third-party software. For example, Studio Network Solutions’ Ellipse allows Mac OS X clients to mount LUNs from EMC targets. However, most of these solutions do not offer a for the Mac. Most allow Macs to connect by acting as NAS bridgeheads. Other solutions will allow an HFS+ volume to be mounted read-only on many clients, but only one client will have read/write access at a time. This means it is not a true clustered file system. Vmirror by Vicom Systems gives you the ability to mirror LUNs. This provides redundancy to protect against the loss of a RAID. If a RAID array is lost in an Xsan environment, the whole SAN will be lost. Vmirror can stop this from happening. Cloverleaf by Cloverleaf Communications gives the ability to snapshot Xsan and has some other benefits such as more granular control over and the ability to combine the presentation of various forms of storage to a wide variety of devices. 563

Appendix B InfoSec Acceptable Use Policy

Note: Created by the SANS Institute. Feel free to modify or use for your organization. If you have a policy to contribute, please send e-mail to [email protected].

1.0 Overview InfoSec’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to . established culture of openness, trust and integrity. InfoSec is committed to protecting ’s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. Internet/Intranet/Extranet-related systems, including but not limited to equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of . These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations. Please review Human Resources policies for further details. Effective security is a team effort involving the participation and support of every employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

2.0 Purpose The purpose of this policy is to outline the acceptable use of computer equipment at .

563 564 APPENDIX B: InfoSec Acceptable Use Policy

These rules are in place to protect the employee and . Inappropriate use exposes to risks including virus attacks, compromise of network systems and services, and legal issues.

3.0 Scope This policy applies to employees, contractors, consultants, temporaries, and other workers at , including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by .

4.0 Policy

4.1 General Use and Ownership 1. While ’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of . Because of the need to protect ’s network, management cannot guarantee the confidentiality of information stored on any network device belonging to . 2. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager. 3. InfoSec recommends that any information that users consider sensitive or vulnerable be encrypted. For guidelines on information classification, see InfoSec’s Information Sensitivity Policy. For guidelines on encrypting email and documents, go to InfoSec’s Awareness Initiative. 4. For security and network maintenance purposes, authorized individuals within may monitor equipment, systems and network traffic at any time, per InfoSec’s Audit Policy. 5. reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. APPENDIX B: InfoSec Acceptable Use Policy 565

4.2 Security and Proprietary Information 1. The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by corporate confidentiality guidelines, details of which can be found in Human Resources policies. Examples of confidential information include but are not limited to: company private, corporate strategies, competitor sensitive, trade secrets, specifications, customer lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information. 2. Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. System level passwords should be changed quarterly, user level passwords should be changed every six months. 3. All PCs, laptops and workstations should be secured with a password- protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the will be unattended. 4. Use encryption of information in compliance with InfoSec’s Acceptable Encryption Use policy. 5. Because information contained on portable is especially vulnerable, special care should be exercised. Protect laptops in accordance with the “Laptop Security Tips”. 6. Postings by employees from a email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of , unless posting is in the course of business duties. 7. All hosts used by the employee that are connected to the Internet/Intranet/Extranet, whether owned by the employee or , shall be continually executing approved virus- scanning software with a current virus database. Unless overridden by departmental or group policy. 8. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code. 566 APPENDIX B: InfoSec Acceptable Use Policy

4.3 Unacceptable Use The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances is an employee of authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing -owned resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities, which fall into the category of unacceptable use.

System and Network Activities The following activities are strictly prohibited, with no exceptions: 1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by . 2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted , and the installation of any copyrighted software for which or the end user does not have an active license is strictly prohibited. 3. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question. 4. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). 5. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home. 6. Using a computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction. 7. Making fraudulent offers of products, items, or services originating from any account. APPENDIX B: InfoSec Acceptable Use Policy 567

8. Making statements about warranty, expressly or implied, unless it is a part of normal job duties. 9. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes. 10. Port scanning or security scanning is expressly prohibited unless prior notification to InfoSec is made. 11. Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duty. 12. Circumventing user authentication or security of any host, network or account. 13. Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack). 14. Using any program/script/command, or sending of any kind, with the intent to interfere with, or disable, a user’s session, via any means, locally or via the Internet/Intranet/Extranet. 15. Providing information about, or lists of, employees to parties outside .

Email and Communications Activities 1. Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam). 2. Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. 3. Unauthorized use, or forging, of email header information. 4. Solicitation of email for any other email address, other than that of the poster’s account, with the intent to harass or to collect replies. 5. Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type. 568 APPENDIX B: InfoSec Acceptable Use Policy

6. Use of unsolicited email originating from within ’s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by or connected via ’s network. 7. Posting the same or similar non-business-related messages to large of Usenet newsgroups (newsgroup spam).

4.4 Blogging 1. Blogging by employees, whether using ’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of ’s systems to engage in blogging is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate ’s policy, is not detrimental to ’s best interests, and does not interfere with an employee's regular work duties. Blogging from ’s systems is also subject to monitoring. 2. Company Name>’s Confidential Information policy also applies to blogging. As such, Employees are prohibited from revealing any confidential or proprietary information, trade secrets or any other material covered by ’s Confidential Information policy when engaged in blogging. 3. Employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by ’s Non-Discrimination and Anti-Harassment policy. 4. Employees may also not attribute personal statements, opinions or beliefs to when engaged in blogging. If an employee is expressing his or her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly, represent themselves as an employee or representative of . Employees assume any and all risk associated with blogging. 5. Apart from following all laws pertaining to the handling and disclosure of copyrighted or export controlled materials, ’s trademarks, logos and any other intellectual property may also not be used in connection with any blogging activity APPENDIX B: InfoSec Acceptable Use Policy 569

5.0 Enforcement Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6.0 Definitions

Term Definition Blogging Writing a blog. A blog (short for weblog) is a personal online journal that is frequently updated and intended for general public consumption. Spam Unauthorized and/or unsolicited electronic mass mailings.

7.0 Revision History 571

Appendix C CDSA

If you are a developer of Mac OS X-based software then there are a few very basic principals that we can impart relating to the security model used when developing software for the Apple platform. While depth is something most developers look for, this is a theory and not a specific technology. Apple has designed its security around the Common Data Security Architecture (CDSA) model, developed by . CDSA is a set of layered security services and a cryptographic framework that provide an interoperable, cross-platform infrastructure for creating security-enabled applications for client-server environments. CDSA covers the essential components to equip applications with security services that provide cryptography, certificate management, trust policy management, and key recovery. CDSA is defined by a horizontal, four-layer architecture:  It includes applications such as Mail, , iChat, , Access, and other applications developed by Apple. For example, 3rd party applications from Tweetie to 1Password take part in the CDSA model, leveraging Keychain services to custom CSSM cryptographic store modules respectively.  It includes layered services and middleware including the Application Programming Interfaces (API)s used by the applications previously listed. An API is a set of definitions that determines how one piece of computer software communicates with another. It is a method of achieving abstraction, usually (but not necessarily) between lower-level and higher-level software. These APIs include interfaces for keychains, file signing, SSL, and certificate management.  The Common Security Services Manager (CSSM) infrastructure’s Cryptographic Services Manager has functions to create and verify digital signatures, generate cryptographic keys, and create cryptographic hashes.

571 572 APPENDIX C: CDSA

 Security service provider modules, also known as add-in modules, are third-party and nonapplication items built using the APIs in the second layer of the CDSA. This allows for extensibility to the framework. The CDSA is an open source framework, allowing it to closely parallel many of Apple’s other initiatives for security and development. It receives peer review from a larger audience than just Apple users; security and development experts contribute to reviewing the CDSA fundamentals. CDSA allows Apple and the community of third-party developers to architect software in a secure manner while still supporting the network features required for the modern applications of today and tomorrow. For more information on the CDSA model, see the Intel CDSA site at http://www.intel.com/ial/security. 573

Appendix D Introduction to Cryptography

The word cryptography is derived from the Greek words kryptos, meaning “hidden,” and grafein, which means “to write.” Throughout history, cryptography has been used to hide messages that might otherwise be intercepted in traditional means of communication. This is accomplished by concealing the contents of the message from all except those who have the key to unlock it. In modern times, cryptographic techniques are used to protect e-mail messages, information transmitted over the internet, credit card information, and data on corporate networks. A wide variety of cryptographic techniques are used with computers. They are typically provided for one of two reasons: to protect data while at rest on a computer or to protect data as it is being transferred between two computers or across networks. Most cryptographic techniques for submitting data over the Internet rely heavily on the exchange of keys. Some techniques include:  Symmetric-key cryptography refers to encryption methods where both senders and receivers of data share the same key and data is encrypted and decrypted with algorithms based on those keys. The modern study of symmetric-key ciphers revolves around ciphers and stream ciphers and how these ciphers are applied.  Block ciphers take a block of plain text and a key and then output a block of cipher text of the same size. DES and AES are block ciphers. AES, also called Rijndael, is a designated cryptographic standard by the U.S. government. AES always uses a key size of 128, 192, or 256 bits as well as a block length of 128 bits. DES is no longer an approved method of encryption as an exhaustive key search attack on a block of DES-encrypted data would take a modern Mac OS X computer a few minutes to decipher. Triple-DES, its variant, remains popular. Triple-DES uses three 56-bit DES keys and is used across a wide range of applications from ATM encryption to e-mail privacy and

573 574 APPENDIX D: Introduction to Cryptography

secure remote access. Many other block ciphers have been designed and released, with considerable variation in quality.  Stream ciphers create an arbitrarily long stream of key material, which is combined with plain text bit-by-bit or character-by-character, somewhat like the one-time pad (or an encryption cipher that is only used once) encryption technique. In a stream cipher, the output stream is based on an internal state, which changes as the cipher operates. That state’s change is controlled by the key and, in some stream ciphers, by the plain-text stream as well. When the state doesn't depend on the plain input, two messages encrypted with the same key can be combined to gain information about the plain-text. RC4 is an example of a well-known stream cipher.  Cryptographic hash functions do not use keys but take data and output a short, fixed-length hash in a one-way function. For good hashing algorithms, collisions (two plain texts that produce the same hash) are extremely difficult to find, although they do exist. Collisions must exist, as there are infinite possible inputs to a hash function but only a finite range of outputs.  Symmetric-key cryptosystems typically use the same key for encryption and decryption. A disadvantage of symmetric ciphers is that a complicated key management system is necessary to use them securely. Each distinct pair of communicating parties must share a different key. The number of keys required increases with the number of network members. This requires very complex key management schemes in large networks. It is also difficult to establish a secret key exchange between two communicating parties when a secure channel doesn’t already exist between them.

NOTE: If you don't already have a secure channel, it's impossible to establish a shared but secret key. DHX gets around this by creating a transient secure channel.

Whitfield Diffie and Martin Hellman are considered by some to be pioneers of public-key cryptography. They proposed the notion of public-key (also called asymmetric-key) cryptography, with the Diffie-Hellman key exchange protocol, in which two different but mathematically related keys are used: a public key and a private key. A public key system is constructed so that calculation of the private key is computationally infeasible from knowledge of the public key, even though they are necessarily related. Instead, both keys are generated secretly, as an interrelated pair. In public-key cryptosystems, the public key may be freely distributed, while its paired private key must remain secret. The public key is used for encryption, while the private or secret key is used for decryption. APPENDIX D: Introduction to Cryptography 575

Who actually invented the first public-key cryptography systems is still up for debate. Ronald Rivest, Adi Shamir, and Len Adleman invented RSA, another public-key system. Later, it was widely held that asymmetric cryptography had been invented by James H. Ellis at GCHQ, a British intelligence organization, even though the Diffie-Hellman and RSA algorithms had been previously demonstrated. In the end, Diffie-Hellman and RSA, were shown to be the first public examples of high quality public-key cryptosystems and are among the most widely used. In addition to encryption, public-key cryptography can be used to implement digital signature schemes. Digital signatures are somewhat like ordinary signatures; they are easy for a user to produce but difficult for anyone else to forge. Digital signatures can also be permanently tied to the content of the message being signed because they cannot be “moved” from one document to another; any attempt would be detectable. In digital signature schemes, there are two algorithms: one for signing, in which a secret key is used to process the message (or a hash of the message or both), and one for verification, in which the matching public key is used with the message to check the validity of the signature. RSA and DSA are two of the most popular digital signature schemes. Digital signatures are central to the operation of public-key infrastructures and to many network security schemes (SSL/TLS, many VPNs, and so on). Digital signatures provide users with the ability to verify the integrity of the message, thus allowing for nonrepudiation of the communication. Public-key algorithms are most often based on the computational complexity of “hard” problems, often from number theory. The hardness of RSA is related to the integer factorization problem, while Diffie-Hellman and DSA are related to the suitability of an algorithm as the basis of a public-key cryptosystem depends on the difficulty of deriving the private key from the public key. Ideally it would be at least as hard as guessing the private key at random.. More recently, elliptic-curve cryptography has developed in which security is based on number theoretic problems involving elliptic curves. Because of the complexity of the underlying problems, most public-key algorithms involve operations such as modular multiplication and exponentiation, which are much more computationally expensive than the techniques used in most block ciphers, especially with typical key sizes, which are frequently exclusive-OR (XOR) operations.. As a result, public-key cryptosystems are commonly “hybrid” systems, in which a fast symmetric-key encryption algorithm is used for the message itself, while the relevant symmetric key is sent with the message, but encrypted using a public-key algorithm. Or, relating back to the introduction of Diffie-Hellman Exchange earlier, two parties use asymmetric encryption to agree on a shared session key. Subsequent communication is symmetrically encrypted using that key. Hybrid signature schemes are also often used, in which a cryptographic hash function is computed, and only the resulting hash is digitally signed. Cryptography continues to move forward in an almost exponential manner. Although much of the cryptographic data in use today stems from the research done in the 1970s and earlier, new advances and refinements occur all the time. New techniques are emerging today that will change the shape of cryptography 10 to 20 years from now, making the keys, hashes, and algorithms we use today look like child’s play. As data 576 APPENDIX D: Introduction to Cryptography

grows and computers get faster, though, it is important to have a basic understanding of some of the cryptographic standards you will run into on a regular basis. 577

Index

■ controlling use of , 56 Symbols and discretionary access controls (DAC), 156, 374 Numerics enabling MAC filtration, 335 # character, Unix files, 69 firewalls, 285 #MREGS column, top command, 37 granular control of managed settings in #PRTS column, top command, 37 Leopard, 63 % character limiting access to services, 423–424 referencing groups, 72 limiting access to web sites, 58–59 Unix files, 70 MAC address access controls, 336 % CPU column, Activity Monitor, 34 mandatory access control (MAC), 157, %MEM column, ps command, 36 374 * wildcard, sudoers file, 73 network access control, 290 + character password reset utility, 11 indicating ACEs exist, 96 restricting access with sudoers, 69–74 - (file) type, POSIX, 83 restricting Apache access, 380 / character, sudoers file, 73 restricting network services, 291–292 ? wildcard, sudoers file, 73 restricting user access to applications, [!...] wildcard, sudoers file, 73 57 [...] wildcard, sudoers file, 73 role-based access control (RBAC), 374 _ (underscore) character sandbox access control, 157 accounts beginning with, 65 securing mount points, 74–75 35-Pass Erase option, 22 service access control lists (SACLs), 424 400/401/402/403 error codes, 389 setting time limits for access, 61–62 500 error code, 389 setting up parental controls, 56–62 7-Pass Erase option, 22 access control entries see ACEs 802.11a/802.11n protocols, 326 access control lists see ACLs 802.11b/802.11g protocols, 326, 346 Access Control tab, Keychain Access, 238, 802.11i protocol, AirPort, 327 239 802.1x protocol, 292–293, 326 access levels, POSIX, 80, 82–84 access rights, ACEs controlling, 80 access rights, ACLs see under ACLs ■ A access.log file, 134 a option accessibility mount command, 75 file system permissions, 79 ps command, 35 keychain securing sensitive data, 234 about:config page, Firefox, 195 Account tab, MobileMe, 514 access control account types, Mac OS X, 51–53 controlling directory access, 388–391 administrative user, 51 controlling search engine access, 386 group accounts, 53 guest accounts, 53

577 578 Index

root users, 53 Delete Child, 93 standard user, 51 Execute/Search, 92 accounts Read access, 92 beginning with underscore (_), 65 Read Attribute, 92 disabling superuser account, 55, 56 Read Ext Attribute, 92 enabling superuser account, 54–55 Read Permissions, 92 external accounts, 68 Write Attributes, 92 hidden service users and groups, 65 Write Ext Attributes, 92 local administrative accounts, 68 Write/Add Files, 92 Mac OS X security, 4–6 conflicting ACEs, 97 sharing accounts, 52–53 Discretionary Access Controls, 156 Accounts , 4–8 Finder managing permissions, 103 Advanced Options, 64 implementing custom LDAP ACLs, 444 Automatic login option, 6 inheret_only flag, 93 Change Password button, 5 managing from command line, 106 encrypting user data, FileVault, 258, 259 managing on OS X server, 97–103 Login Options button, 6 managing permissions with , 105– removing administrative access, 8 106 securely binding clients to Open mtree support for, 110 Directory, 441, 442 NFS shares, 94 setting passwords, 4, 5 permissions, 356–357 setting up group accounts, 53–54 propagating ACLs, 101 setting up sharing accounts, 52 protocol support and effective setting up VPN account, 419 permissions, 94–95 Accounts tab, AirPort, 364 removing, 107 ACEs (access control entries), 91–94 using ACLs, 95–97 ACL access rights, 91–93 Acquire image screen, MacForensicsLab, administration category, 91 546–548 avoiding ACEs for specific users, 96 actions conflicting access privileges, 97 mandatory access control (MAC), 157 creating inherited ACEs with chmod, 106 Active Directory defining custom privilege sets, 99, 100 AD-Plugin, 454, 455–456, 457 indicating ACEs exist, 96 binding to, 455, 456 inheritance category, 93 configuring OS X machine to use, 455 Mac OS X, 80 DAVE communicating with AD controller, mapping ACE permissions, 99 367 permissions with ACLs, 356 domain, 455, 456 propagating permissions, 100 enforcing managed preferences on read-permissions category, 92 systems using AD service, 452 removing, 107 forest, 455, 456 write-permissions category, 92–93 integrating Open Directory with, 454–458 ACLs (access control lists), 80, 91–97 dual directory, 458 access rights setting up network homes with AD Append/Add Directories, 93 clients, 456–457 Apply to All Descendants, 93 using profile location as UNC path, 456 Apply to Child Files, 93 Active Processes option, Activity Monitor, Apply to Child Folders, 93 33 Apply to this folder, 93 active scanning, 486 Change Ownership, 91 active-active fault-tolerant solution, 532 Change Permissions, 91 round-robin DNS, 532–533 Delete, 93 active-passive fault-tolerant solution, 531 Index 579

Activity Monitor utility, 31–35 AFP logging, 469–470 % CPU column, 34 Kerberos authentication, 468–469 analyzing processes, 50, 51 limiting access to files/folders, 358 Kind column, 35 port number, 301 Process ID (PID), 33, 34 AFP masquerading, 467 Process Name column, 34 disabling, 468 RAM used, 35 agentpass option, hdiutil command, 255 Real Memory column, 35 agents Show options, 31, 32 LaunchAgents service, 44 SUID applications, 75 Aircrack, 348 Task Manager, Windows, 131 Aireplay, 347 Threads column, 34 Airforge, 349 User column, 34 Airodump command, 348 virtual memory, 35 AirPort, 327–328 actors changing default password, 329 mandatory access control (MAC), 157 choosing wireless protocol, 330 ad hoc networks, securing, 340 configuring, 330–333 add command, ipfw, 319 older versions, 328–330 add directories privilege, ACEs, 93 port mappings, 333 add file privilege, ACEs, 92 wireless encryption type, 332 Add new member screen, Retrospect, 522, creating closed network, 337, 338 523 dangers of Internet Sharing, 315 add_file privilege, 92 directing web traffic, 333 add-in modules, CDSA, 572 disabling, 340 address masking, 322 DMZ (demilitarized zone), 341 admin user, Mac OS X, 81 enabling firewall, 332–333 administration category, ACEs, 91 enabling MAC filtration, 335 Administration tab, CUPS, 19, 20 encryption protocols, 327 administrative users, 8, 51 hardware filtering, 334–336 local administrative accounts, 68 limiting DHCP scope, 333–334 removing administrative access, 8 logging, 336–337 sudo command, 69 network adapters, 315 when to log in as, 8 redirecting traffic to different ports, 333 AD-Plugin, 454, 455–456 setting encryption, 329 using from command line, 457 sharing files with, 362–366 Advanced Options, Accounts preference SSID suppression, 337 pane, 64 types of, 327 Advanced tab, Firefox security, 190 wireless hacking tools, 342–347 adware, 228 AirPort (graphite), 327 AES (Advanced Encryption Standard) configuring, 328 block ciphers, 573 AirPort Admin Utility (for older versions) encrypted disk images, 244 adding security using, 328 hdiutil command, 253 changing default password, 329 Encryption field, Disk Utility, 246 choosing wireless protocol, 330 affinities configuring older versions, 328–330 storage pools, Xsan, 561 setting encryption, 329 AFP (), 300, 357–359 AirPort Express, 327, 339 configuring AFP sharing, 358 configuring, 328 security, OS X Server, 466– AirPort Extreme (N), 327 470 AirPort Utility, 330–334 AFP authentication options, 467–468 AirPort Extreme (snow), 327 580 Index

configuring, 328 problems with, 220 AirPort ID Sophos Anti-Virus for Mac OS X, 226– identifying MAC address, 335 227 AirPort Inspector, 345 virus definitions, 220 Base station details, 346 virus files to test system, 228 AirPort networks zero-day exploits, 221 finding, 344 Apache web server, 378 wireless AirPort network, 279 enabling, 377 AirPort Utility, 330–334 restricting access, 380 Accounts tab, 364 securing by disabling unnecessary Base Station tab, 331, 338 services in, 382 DHCP tab, 333–334 APIs (Application Programming Interfaces) Disks tab, 363 Common Data Security Architecture, 571 Internet Connection tab, 332 APOP (Authenticated POP) Logging & SNMP tab, 336 options for securing mail password, 198 NAT tab, 333 Append/Add Directories access right, 93 Wireless tab, 331, 332 appfirewall.log file, 120–121 AirTunes, 339 Apple Active Directory service see Active ALF (Application Layer Firewall), 301, 306 Directory configuring from command line, 312 Apple AirPort see AirPort starting/stopping ALF, 312 Apple Filing Protocol see AFP socketfilterfw managing, 312 Apple Keychain, 556 algorithms, public-key, 575 see Mail aliases, adding, 64 Apple Partition Map, Disk Utility, 250 aliases, sudoers file, 72 Apple PasswordServer see PasswordServer Cmnd_Alias, 73 Desktop see ARD granting resource access to, 73 Apple updates Host_Alias, 73 Software Update preference pane, 14 Runas_Alias, 73 AppleScript User_Alias, 72 script malware attacks, 217 all mask, pipes, 322 application authentication, 141–143 All Processes option, Activity Monitor, 32, application , 30 34 application identification allow command, ipfw, 319 see also identification Allow option application authentication, 141, 143 accessing applications, 306, 307 bundle identifier, 142 Location directive, CUPS, 19 creator codes, 141, 142 Always option, managed preferences application integrity, 143–144 configuring policies, 449 application layer, 278 always_set_home flag, sudoers file, 71 moving packets, 279 Analyze screen, MacForensicsLab, 548–551 securing, 278 anonymous binding, 428 Application Layer Firewall see ALF securing LDAP by preventing, 439–441 Application Programming Interfaces see antispam tools, Mac OS X Server, 210–211 APIs antivirus software, 218–228 application signing, 139–156 best practices for combating malware, application authentication, 141–143 227 application integrity, 143–144 ClamXav, 221–226 signature enforcement in OS X, 144–152 Mac OS X, 219 keychain access, 145–146 McAfee VirusScan, 220 signing/verifying applications, 153–156 Norton AntiVirus, 220–221 application-level encryption, 278 Index 581

applications, 29 mtree file system permissions, 109–111 allowing/denying access to, 306 augmented records, 458 Common Data Security Architecture, 571 authenticate flag, sudoers file, 71 enabling third-party applications, 305 Authenticated Binding field options restricting user access to, 57 securing Open Directory, 435–436 signing and verifying, 153–156 Authenticated POP (APOP), 438 SUID applications, 75–76 options for securing mail password, 198 trusted applications, 145, 312 authentication, 49, 50 validating authenticity of, 46 802.1x protocol, 292, 293 Applications policy application authentication, 141–143 managed preferences, 449, 451 authenticating protocols, 197 Apply to All Descendants access right, 93 Cisco VPN client, 418 Apply to Child Files access right, 93 file sharing security, AFP, 467–468 Apply to Child Folders access right, 93 Kerberized AFP, 468–469 Apply to this folder access right, 93 Kerberos, 426 architecture L2TP-based VPN, 415 Common Data Security Architecture, pluggable authentication modules, 50 571–572 passwordless authentication, 172, 174 archiving logs see rotating logs securing with PasswordServer, 437–439 ARD (), 402 SMB authentication, 371 pushing sudoers file to other users, 74 SSH (Secure Shell), 413 when to enable and dangers, 303 authentication authority ARIN, 393 Kerberosv5, 65 ARP requests, stealth mode, 310 ShadowHash, 65, 66 ASL (Apple System Logger) database authentication methods viewing log files using Console, 115 enabling/disabling, 438, 439 aslmanager, 115 authentication settings, Mail, 199 asymmetric-key cryptography, 574 authentication_authority key, .plist, 65 attach verb, hdiutil command, 251, 252 authenticity attacks validating applications/services, 46 code injection, 398–399 authorization, 49 cross-site scripting (XSS), 398–399 401 error code, 389 Distributed Denial of Service (DDoS), 215 auto-lock settings Denial of Service (DoS), 215, 321 managing multiple keychains, 241 , 349 Automatic login option directory traversal, 384 Accounts preference pane, 6 man-in-the-middle, 288 disabling automatic login, 9 Newsham 21-bit, 343 Automator PASV theft, 374 application bundles, 31 proof-of-concept, 325 creating new services, 40 social engineering, 488 Mac OS X, 217 SQL Injection, 398 script malware attacks, 217 attributes, 426 augmented records, 458 Read Attribute access right, 92 ■ B Read Ext Attribute access right, 92 feature, 404–405 Write Attributes access right, 92 Back to My Mac tab, MobileMe, 405 Write Ext Attributes access right, 92 backdoors, 143, 214, 216 Attributes tab, Keychain Access, 237, 238 RavMonE.exe, 216 Audit screen, MacForensicsLab, 554 backhaul, 326 auditing backticks (``) 582 Index

securing Perl scripts, 385 black-box testing, 486 Backup Assistant, Retrospect, 520–525 block ciphers, 573 encryption for backup destinations, 522 Block incoming connections selecting sources to backup, 520, 521 Cyberduck, 306 specifying backup destination, 521, 522 firewall settings, 149, 307–308 backup domain controller (BDC), 453 blogging backup.sb profile, 177 InfoSec acceptable use policy, 568, 569 backups blued daemon, 30 creating offsite copy of critical data, Bluetooth preference pane 513–517 Discoverable option, 16 effect of volumes changing, 248 , 16–18 MobileMe, 513–517 Bluetooth security, 16–18 need for, 505 Bluetooth Sharing service, 39 redundancy, cold sites, 533 Bluetooth-PDA-Sync, 18 redundancy, hot sites, 534 bonding, 561 Retrospect, 517–529 security of, 507 configuring security, 412 services, 534–535 bonjour_module sparse bundles, 248–250 disabling unnecessary services in SuperDuper, 512–513 Apache, 382 tape libraries, 530–531 boot loader, 267 Time Machine, 506–512 bots virtual machines, 509 controlling search engine access, 386 backups vs. , 531–533 disabling Googlebot, 394 fault-tolerant solutions, 531–532 broadcast storm, 290 load-balancing devices, 533 browser security see web browser security round-robin DNS, 532–533 Brutal Gift tool, 349 BAND SIZE brute force sparse-band-size key, diskutil, 257 attempting to guess passwords by, 120 bandwidth limiting, 321, 322 KisMAC, 343 Base Station tab, AirPort, 331, 338 bsd.sb sandbox profiles base.sb profile accessing low-level functions, 165 using Sandbox to secure user shells, bssid, 348 167–170 bundle identifier, 142 basename function bundles securing PHP, 384 application bundle, 30 BDC (backup domain controller), 453 Safari bundle, 309 beta versions of software, 213 sparse bundles, 248–250 BIND, 177–178 BIND DNS server, 177 binding ■ C securely binding clients to Open caching Directory, 441–443 dscacheutil command, 67 securing LDAP by preventing securing Open Directory, 437 anonymous binding, 439–441 Carbon to Active Directory, 455 launching non-Mach-O Carbon-based binding policies application, 160 securing Open Directory using, 435–437 Carbon Copy Cloner see CCC bit-flag system Cases screen, MacForensicsLab, 542, 543 modes (access levels), POSIX, 83, 84 cases, computer forensics, 540 BitTorrent sites, 280 cases, MacForensicsLab Index 583

reviewing case, 554–555 child processes, 30 Casper Suite chmod command pushing sudoers file to other users, 74 ACL group names containing , CCC (Carbon Copy Cloner), 172–174 106 rsync, 172, 173, 174 creating inherited ACEs with, 106 scp, 172, 173 managing ACLs using, 97 ssh, 172 managing permissions, 104–107 cd command, Metasploit, 502 suid/sguid bits, 87 CD/DVD with ISO data option, 250 chown permission, 91, 104–107 CDSA (Common Data Security Architecture), chpass verb, hdiutil command, 254 571–572 Chronology tab, MacForensicsLab, 555 Certificate Assistant chroot command, 471 Keychain Access application, 475 CIFS daemon certificates configuring SMB workgroup for DAVE, adding, Entourage, 200 369 creating self-signed signing certificate, ciphers 154 block ciphers, 573 digital certificate, 153 steam ciphers, 574 guarantee of legitimacy, 149 Cisco VPN client self-signed certificates, 392 authentication, 418 signing and verifying applications, 154 configuring, 418 SSL certificates, OS X security, 474–475 connecting to, 417–418 trusted authorities, 392 ClamAV antispam tool, 478 user changing password on disk images, Mac OS X Server, 210 254 ClamXav antivirus software, 221–226 viewing certificates for , 201 Folder Sentry feature, 225, 226 Certificates screen, Entourage, 200, 201 schedule scan preferences, 225 CGI (Common Gateway Interface) Snow Leopard, 221 disabling, 381 virus scanner, 224 securing files on web server, 396 Classic policy CGI-BIN directory, 381 managed preferences, 449 CGI-Executables directory, 381 Clear Recent History option, Firefox, 191 cgi-redirect, securing PHP, 383 client IP addresses CGPSA, using with CommuniGate Pro, 211 enabling Internet Sharing, 314 chain of custody of data, forensics, 538 client management challenge, NTLMv1, 371 Managed Client OS X (MCX), 149–152 Change Ownership access right, 91 parental controls, 152 Change Password button client security see firewalls Accounts preference pane, 5 client-server networks, 282, 354 Change Permissions access right, 91 client-side caching Change Settings setting, Remote securing Open Directory, 437 Management, 407 clients characters providing directory services for Windows filtering user input, 399 clients, 453–454 Check Point, 267–269 securely binding clients to Open checksum, MacForensicsLab, 546 Directory, 441–443 chflags command, 105 wireless security on client computers, chgrp command, 104 339–340 child files/folders Clients tab, SquidMan utility, 296 Apply to Child Files/Folders access clipboard (pboard) process, 43 rights, 93 Cloverleaf, 562 584 Index

clustered file systems, Xsan, 559 automatically allowing signed software CMD column, ps command, 35 to create, 149, 308–309 Cmnd_Alias, sudoers file, 70, 73 Block incoming connections, Cyberduck, combining PPP and SSH as VPN link, 306 419 blocking all incoming connections, 149, syntax of sudoers file, 74 307–308 code injection attacks, 398–399 connecting over FTP, 373 cross-site scripting (XSS), 398–399 finding IP addresses, 302 protecting web site from, 399 half connection, 489 SQL Injection, 398 remote connectivity, 402–408 Code Red worm, 216 TCP connect scan, 489 code signing, 144, 153 Console Messages screen codesign tool, 155, 309 viewing log files, 115 cold sites, backups, 533 Console utility, 115–118 com.apple.pboard process, 43 copy data from log files, 117 command line commands Database Searches section, 117 viewing output one screen at a time, 36 Event Viewer, Windows, 130 command-line logs, 123 marking log files, 116–117 Common Data Security Architecture (CDSA), searching log files, 117–118 571–572 viewing log files, 115–116, 125 Common Gateway Interface see CGI large log files, 117 Common Security Services Manager contacts (CSSM), 571 securing Open Directory, 437 Common Unix Printing System see CUPS viewing certificates for, 201 communication Content tab, Firefox, 194, 195 limiting via iChat and Mail, 59–61 Control setting, Remote Management, 407 communication paths, roles, 300 controlling access see access control CommuniGate Pro, 211–212 cookies, 186 computer forensics, 537 Only from sites I visit option, Safari, 187 see also MacForensicsLab Show Cookies button, Safari, 186 cases, 540 copy issues, troubleshooting, 43 chain of custody of data, 538 Copy items setting, Remote Management, checksum, 546 407 command-line tools, 558 copyrighted material creating image of unaltered evidence, InfoSec acceptable use policy, 566 544 peer-to-peer networks, 281 disabling disk arbitration, 538 cowpatty tool, 349 forensically acquiring disk images, 557 CPU column, Activity Monitor, 34 incident response, 538–539 cracking WEP keys, 347–348 MacForensicsLab, 539–556 cracking wireless networks other GUI tools for, 556 safeguards against, 349–350 Safari Forensic Tools (SFT), 557 cracking WPA-PSK, 348–349 smeared images, 546 CrashReporter, 124 tainting evidence, 538 create verb, hdiutil command, 253 write blocking, 538 creator codes Computer Forensics World, 537 application identification, 141, 142 computer programs, 29 credentials computer-to-computer networks, securing, configuring Open Directory, 430, 431 340–341 Nessus, 499 confidentiality see data confidentiality crontab connections hard links security issues, 107 Index 585

cross-site scripting (XSS) attacks, 398–399 Data Compression option, Retrospect, 527 cryptographic hash functions, 574 data confidentiality, 233 cryptography, 573–576 disk images as encrypted data stores, asymmetric-key cryptography, 574 243–257 block ciphers, 573 file system permissions, 79 Diffie-Hellman key exchange protocol, FileVault encrypting user data, 257–265 574 full disk encryption, 266–272 elliptic-curve cryptography, 575 keychain securing sensitive data, 234– public-key cryptography, 574, 575 243 stream ciphers, 574 data packet encryption, 288 symmetric-key cryptography, 573, 574 data theft, forensics, 537, 538 CSSM (Common Security Services data transmission, packets, 283 Manager), 571 data, IP packets, 283 cu.modem.log, 129 database administrators CUPS (Common Unix Printing System), 18 accessing web site database through CUPS web interface, 19 firewall, 398 Administration tab, 19, 20 Database Searches section, Console, 117 Allow option, Location directive, 19 Database toolbar item Require User option, Limit directive, 20 installing MacForensicsLab, 540 cupsd daemon, 30 database, MacForensicsLab, 541 cut issues, troubleshooting, 43 datagrams, 283 Cyberduck, 305, 306 DAVE, 366–372 allowing/denying access to, 306 client using Kerberos, 371 Block incoming connections option, 306 communicating with Active Directory controller, 367 configuring SMB Setup name in, 368 ■ D configuring SMB workgroup for, 368 installing, 367 d (directory) type, POSIX, 83, 356 providing description for, 369 d option, mount command, 75 sharing data through , 369 DAC (discretionary access control), 156 DAVE Login preference pane, 369 bypassing DAC model, 157 DAVE Network preference pane, 370 permission models, 374 Identity tab, 370 daemons, 30 LAN Manager Authentication Level BIND, 177 setting, 371 bypassing DAC model, 157 Policies tab, 370, 371, 372 DirectoryService, 68 dd command, forensics, 558 diskarbitrationd, 43 DDoS (Distributed Denial of Service) attacks, httpd, 378–379 215 ipfwloggerd, 320 declarations, sandbox profiles, 161, 162 launchd, 33, 34 restriction declarations, 162 LaunchDaemons service, 44 decryption see encryption nessusd, 497 deep packet inspection (DPI), 288 pppd, 419 default (out of the box) security settings, 3 sandboxing, 159 default web site files, replacing, 379 services, 38 Delete access right, ACEs, 93 slapd, 426 Delete Child access right, ACEs, 93 stopping, 43–44 delete command, ipfw, 319 turning on or off, 38 delete privilege, 93 verifying not running, 44 Denial of Service attacks see DoS viewing running on Mac, 38–39 deny command, ipfw, 319 daily.out log file, 126–127 586 Index

Deny option, access to applications, 306, POSIX permission groups, 81 307 directory traversal attacks, 384 descendants directory type, POSIX, 83 Apply to All Descendants access right, 93 binding to Active Directory using, 456 DES-encrypted data, block ciphers, 573 configuring OS X to use Active Directory, Desktop Database 455 application identification, 141, 142 disabling superuser account, 55 desktop solutions for securing e-mail, 207 enabling superuser account, 54 Destinations tab, Retrospect, 527 root account, 69 detach verb, hdiutil command, 253 securely binding clients to Open df command, 75 Directory, 441, 442 DHCP scope, AirPort, 333–334 directory_inherit permission, 93 dictionaries DirectoryService daemon, 68 Hide Profanity in Dictionary option, 57 Disable automatic login option, 9 dictionary attacks Disable Location Services option, 10 safeguards against cracking wireless Disable Login Passwords options, 433 networks, 349 Disable remote control infrared receiver Diffe-Hellman exchange (DHX), 438, 574 option, 10 digital certificates Disable Root User option, 55 implementing, web site security, 392 discoverable devices, 16 signing and verifying applications, 153 Discoverable option, Bluetooth, 16 digital signatures, 575 discretionary access control see DAC man-in-the-middle attack, 371 disk arbitration, 538 Direct tab, SquidMan utility, 296 disabling, MacForensicsLab, 544 directives, securing PHP, 383, 384 disk images directories as encrypted data stores, 243–257 controlling directory access, 388–391 agentpass option, hdiutil, 255 dual-directory environment, 454 attach verb, hdiutil, 251 execute mode, POSIX permissions, 82, chpass verb, hdiutil, 254 83 create verb, hdiutil, 253 making invisible, 105 creating encrypted disk images, 245– securing directory listings, 396–397 251 sticky bit preventing deletion, 87 creating sparse image, 253 write mode, POSIX permissions, 82 data confidentiality, 251 Directory Access application detach verb, hdiutil, 253 Active Directory integration, 454 Disk Utility options, 246–250 directory nodes effect of volumes changing on creating second local directory node, 68 backups, 248 directory services encryption option, hdiutil, 253 configuring in Leopard, 443 format option, hdiutil, 256 ds prefixed commands, 66–67 hdiutil command, 251–257 Kerberos, 426–428 interfacing from command line, 251– LDAP, 425–426 257 local directory services, 65–69, 425 mounting disk images, 251, 252 Mac OS X Server security, 425–428 mountpoint option, hdiutil, 252 managed preferences, 449–453 nobrowse option, hdiutil, 252 Open Directory, 425, 428–458 owners option, hdiutil, 252 popular directory services, 426 preventing volume showing in user’s providing for Windows clients, 453–454 devices list, 252 Directory Services database recover option, hdiutil, 255 Index 587

securing data on mounted volume, dmg file extension, 244 252 DMZ (demilitarized zone), 286 sparse bundles, 248–250 AirPort, 341 stdinpass option, hdiutil, 253, 255 managed switches, 290 type option, hdiutil, 253, 255, 256 DNS, 277 volumes changing, 248 BIND DNS server, 177 encrypted disk images, 24–25 Kerberos, 427 creating, 245–251 Mac OS X Server security, 473 file extension denoting, 244 masquerading as DNS server, 489 forensically acquiring disk images, 557 reverse-domain notation, 142 mounting, 244 round-robin DNS, 532–533 attach verb, hdiutil command, 251 DNS zone transfers, 489 automating for backups, 252 Dock policy, managed preferences, 449 in Finder, 250 domain names, identifying, 488 user changing password on, 254 domains Disk Utility application Active Directory, 455, 456 controlling mounting/unmounting of naming internal, 473 disks, 75 reverse-domain notation, 142 creating encrypted disk images, 245 Safe Domains tab, Entourage, 205, 206 Encryption field, 246 DoS (Denial of Service) attacks, 215, 321 Format (file system) field, 250 firewalls, 285 Image Format field, 246–248 InfoSec acceptable use policy, 567 options, 246–250 security through obscurity, 279 Partitions field, 250 dosevasive, script security, 384 encrypted disk images, 24 DPI (deep packet inspection), 288 restricting disk access, 74 drives securely erasing disks, 21 mapping within Windows, 456 Disk Utility logs, rotating, 121 mount command, 75 diskarbitrationd process, 43 not automatically registering/mounting, disabling, 75 75 DiskRecording.log file, 122 drones, 215 disks drop-box folder controlling mounting/unmounting of, 75 security issues, 107 full disk encryption, 266–272 POSIX example, 90 restricting access using mount points, dscacheutil command, 67 74, 75 dscl command, 67, 440 securely erasing, 21–23 viewing managed preferences, 451 showing mounted disks, 75 dsconfigad command showing volumes mounted on system, Active Directory integration, 454, 455 75 file sharing security, Samba, 470 Disks tab, AirPort Utility, 363 using AD-Plugin from command line, 457 diskutil command dseditgroup command, 67 controlling mounting/unmounting of dsenableroot command, 55, 67 disks, 75 dserr command, 67 image formats used with, 256 dsexport command, 67 sparse-band-size key, 257 dsimport command, 67 DiskUtility.log file dsmemberutil command, 67 reviewing command-line logs, 123 dsperfmonitor command, 67 reviewing user-specific logs, 121 dst-ip mask, pipes, 322 Distributed Denial of Service (DDoS) attacks, dst-port mask, pipes, 322 215 dual-directory environment, 454 588 Index

dual directory, setting up, 458 Kerio MailServer, 208–210 Duh worm, iPhone, 144 Keychain Access utility, 197 dummynet, 321–324 Mail port settings for SSL, 197 creating pipes, 321–322 mail server-based solutions for spam pipe masks, 322–323 and viruses, 207–212 queues, 323–324 options for securing mail password, 198 DVD or CD Sharing service, 38 PGP Desktop, 207 DVD/CD Master option, Disk Utility, 246 SSL, 196–199 Dynamic Host Control Protocol (DHCP) verifying authenticity of server, 197 enabling Internet Sharing, 313 viewing certificates for contacts, 201 Enable Junk Mail Filtering checkbox, 203 Enable Root User option, 54 ■ E Enable stealth mode, 149 enableSSO option, dsconfigad command, echo requests 457 stealth mode, 310 EnCase, 539 edu.mit.Kerberos file encrypted disk images, 24–25 file sharing security, AFP, 468 creating, 245–251 Effective Permissions tool, Server Admin, Disk Utility options, 246–250 102, 103 disk images as encrypted data stores, EFI (extensible firmware interface), 268 243–257 Eicar.org interfacing from command line, 251–257 virus files to test system, 228 hdiutil command, 251–257 Elk Cloner, 216 user changing password on disk images, elliptic-curve cryptography, 575 254 e-mail encrypted keychains, 25–26 Junk E-mail Found alert, 206 encryption, 233–272 macro viruses attaching to, 217 AirPort encryption protocols, 327 spam, 206 AirPort, setting for older versions of, 329 protecting against, 184 application-level encryption, 278 SSL protection, 185 Check Point, 267–269 using strong passwords, 184 configuring Entourage to use SSL, 199 e-mail alerts, MacForensicsLab, 544 cryptography, 573–576 e-mail attachments data packet encryption, 288 best practices for combating malware, disk images as encrypted data stores, 227 243–257 script malware attacks, 217 extensible firmware interface (EFI), 268 e-mail headers, 202 encrypting beyond home directory, 13 e-mail hoaxes FileVault, 11 socially engineered malware, 218 encrypting user data, 257–265 e-mail security, 196–202 Firefox security, 190 see also mail protocols FTP, 374 antispam tools, Mac OS X Server, 210– full disk encryption (FDE), 13, 266–272 211 GPG tools, 207 blocking access to mail being sent over InfoSec acceptable use policy, 565 port 25, 200 keychain securing sensitive data, 234– CommuniGate Pro, 211–212 243 desktop solutions, 207 password security, 184 Entourage, 199–202 PGP Desktop, 207 establishing mail provider protocol PGP Encryption, 269–270 support, 197 public-key-encryption, 174 GPGMail, 207 Index 589

safeguards against cracking wireless risk of tainting evidence, 538 networks, 349 Examiners screen, MacForensicsLab, 541 SecureDoc, 271–272 examiners, MacForensicsLab, 542 symmetric-key cryptography, 573, 574 execute mode, POSIX permissions, 82, 83 TrueCrypt, 270–271 alpha/decimal/binary formats, 84 Encryption field, Disk Utility, 246 file sharing, 355 encryption option, hdiutil command, 253 execute permission, files, 92 encryption, AirPort, 332 Execute/Search access right, ACEs, 92 Entourage exit command, Metasploit, 502 adding certificates, 200 exploits, Metasploit, 503 advanced receiving options, 199 exporting directory services data, 67 advanced sending options, 200 Exposé application Certificates screen, 200, 201 assigning key or hot corner, 10 configuring to use SSL, 199 extended attributes e-mail security, 199–202 Read Ext Attribute access right, 92 filtering spam with, 204–205 Write Ext Attributes access right, 92 programming with, 202 (HFS+) security preferences, 201, 202 permissions with ACLs, 356 using white listing in, 205–206 external accounts, 68 viewing certificates for contacts, 201 enumerating web servers, 395–396 enumeration, 488 ■ F env_editor flag, sudoers file, 71 f option, dsconfigad command, 457 equal cost path, round-robin DNS, 532 f option, mount command, 75 Erase tab, Disk Utility, 21, 22 failed keyword error codes, 389 items to lookout for in log files, 129 error keyword failover see fault-tolerant solutions items to lookout for in log files, 129 false positives, spam filtering, 203, 204, 207 errors Fast User Switching, 8 dserr command, 67 fault tolerance see backups vs. fault escaping characters, sudoers file, 73 tolerance etc/authorization file, 50 fault-tolerant solutions, 531–532 etc/ipfilter/ipfw.conf, 320 active-active, 532 etc/services file active-passive, 531 port utilization for services, 278 FDE see full disk encryption etc/smb.conf file Fibre Channel, 559, 561 file sharing security, Samba, 470 Xsan metadata, 560 Ethereal, 349 file permissions see permissions Ethernet card, network adapters, 315 file security, Mac OS X, 354–357 Ethernet network, 279 LKDC, 355 Power over Ethernet (PoE), 290 POSIX permissions, 355–356 Ethernet protocol, 283 file security, web server, 396–398 EtherPeek, 347 file sharing Ettercap, 347 AirPort, 362–366 Event Viewer, Windows, 130–131 Apple Filing Protocol (AFP), 357–359 accountability for reviewing logs, 134 limiting access to files/folders, 358 EventID.net, 131 client-server networks, 354 everyone, POSIX permissions, 355 configuring AFP sharing, 358 evidence, computer forensics DAVE, 366–372 creating image of unaltered evidence, FTP, 372–374 544 peer-to-peer (P2P) networks, 354 590 Index

permission models, 374–375 controlling use of, 56 permissions with ACLs, 356–357 finding log files, 118 risks of, 353 full disk encryption, 266 Samba (SMB), 359–362 managing permissions, 103–104 Sharing Only account, 353 modifying .DS_Store files, 248 viewing shared folders, 464 mounting disk images in, 250 file sharing security, OS X Server, 463–471 Sharing & Permissions window, 104 AFP, 466–470 sparse bundles viewed from, 249 FTP, 471 Finder drop-box folder NFS, 465–466 POSIX example, 90 Samba (SMB), 470 Finder policy File Sharing service, 39 managed preferences, 449, 452 File Sharing tab, Server Admin Finder Services menu, Snow Leopard, 40 managing ACLs, 97, 98 fingerprinting, 486–488 modifying POSIX permissions, 98 IP addresses, 487 file size, 465 performing whois lookup, file system access, sandbox profiles, 164 487 file system, Disk Utility, 250 nmap, 489 file systems port scanning, 488 clustered file systems, 559 tools for, 486 mount command options, 75 Firefox mtree auditing permissions, 109–111 indicating allowed application is not file type, POSIX, 83 signed, 151 File Types to Include screen, Mac OS X standards and, 196 MacForensicsLab, 553 Master Password dialog box, 193 file_inherit permission, 93 privacy, 190–192 files, making invisible, 105 security FileVault, 11, 12 about:config page, 195 changing settings, 13 Advanced tab, 190 enabling FileVault for users, 260–262 Content tab, 194, 195 encrypting beyond home directory, 13 encryption, 190 encrypting user data, 257–265 Java, 195 full disk encryption, 266, 267 JavaScript, 194 limitations of sparse images, 264–266 pop-up windows, 194 master password, 263–264 Privacy icon, 190, 191 reclaiming space, 264–266 saving passwords, 192–194 setting master password, 13 Security tab, 193 setting up before other users, 12 viewing saved passwords, 194 FileVault tab web browser security, 189–196 Security preference pane, 12–13 Firewall tab, Security preferences, 13–14, FileVaultMaster keychain, 263, 264 147, 304–310 file-write* provisions, sandbox, 164 firewalls, 285, 299 Filter box, Console Toolbar, 117 accessing web site database through filtered port, 491 firewall, 398 filtering advanced settings, 148–149 Apple Mail for spam, 203–204 Application Layer Firewall (ALF), 301, characters from user input, 399 306, 312 hardware, AirPort, 334–336 allowing/denying access to applications, spam with Entourage, 204–205 306 Final Cut Server, backing up, 535 allowing signed software to create Finder connections, 308–309 Index 591

appfirewall.log file, 120–121 Format (file system) field, Disk Utility, 250 blocking all incoming connections, 307– format option 308 diskutil command, 256 command line configuration, 315–324 hdiutil command, 256 dummynet, 321–324 fqdn flag, sudoers file, 71 ipfw, 317–320 FTP, 372–374 configuring, 303, 304–307 connecting over, 373 controlling services, 301–304 DMZ (demilitarized zone), 286 disabling, 305 enabling FTP sharing, 372, 373 enabling, 13, 305 encryption, 374 AirPort, 332–333 file sharing security, OS X Server, 471 stealth mode, 309–310 PASV mode, 374 third-party services/applications, 305 security, 373 hardware appliance firewall, 299 sftp, 397 ipfw firewall, 147 FTP Access service launchd starting/stopping ALF, 312 when to enable and dangers, 303 Mac OS X protecting other computers, Full Control permission, ACE 313–315 mapping permissions to rights, 99 network adapters, 315 full disk encryption (FDE), 13, 266–272 network services, 300–301 Check Point, 267–269 OS X application firewall, 147–149 PGP Encryption, 269–270 outgoing network traffic blocking, 317 SecureDoc, 271–272 removing sharing services, 305 TrueCrypt, 270–271 rules, 300 fully qualified hostnames setting advanced firewall features, 307– flags defining privileges in sudoers file, 310 71 socketfilterfw managing ALF, 312 software firewall, 299, 301 ssh security, 475 ■ G testing, 310–311 gateways, 283 troubleshooting problems, 307 General tab working in Leopard and Snow Leopard, Security preference pane, 9–11 304–307 SquidMan utility, 295–296 FireWire interface, network adapters, 315 Generate Reports setting, Remote First option, configuring policies, 449 Management, 407 flags, sudoers file, 70–71 generated unique identifier (GUID) Flash permissions with ACLs, 356 disabling pop-ups in Safari, 186 generateduid key, 65 flow control, 291 ggid option, dsconfigad command, 457 Folder Sentry feature, ClamXav, 225, 226 gid keyword, mtree, 109 folders global password policies Apply to this folder access right, 93 securing Open Directory accounts, 432– permissions with ACLs, 356–357 435 viewing shared folders, 464 gnam keyword, mtree, 109 FollowSymLinks directive, 397 golden master, MacForensicsLab, 546 Force Quit option, 41, 42 Google forensics see computer forensics protecting privacy of information, 394– Forensics Toolkit (FTK), 539 395 forest, Active Directory, 455, 456 Googlebot, disabling, 394 forgotten passwords GPG tools, 207 password reset options, 11 GPGMail, 207 592 Index

grooming scripts, Retrospect, 525–527 Hex Content tab, MacForensicsLab, 549 group accounts, 53 HFS+ (Extended file system) storage of, 65 permissions with ACLs, 356 groups hidden links adding users to, 53–54 blocking hosts based on robots.txt, 387 creating, 53 hidden processes, 301 Open Directory groups, 446–447 hidden service users and groups, 65 defining group of computers, 73 Hide Profanity in Dictionary option, 57 dseditgroup command, 67 hiding wireless network, 337–338 POSIX permissions, 104, 355 history GSSAPI (Kerberos Version 5) Clear Recent History option, 191 options for securing mail password, 198 history command guest accounts, 53 accountability for reviewing logs, 134 hidden service users and groups, 65 history files GUID partition map rotating logs, 123 Partitions field, Disk Utility, 250 reviewing command-line logs, 123 home folders file sharing security, NFS, 465 ■ H HOME variable flags defining privileges in sudoers file, hacking tools see wireless hacking tools 71 half scan, 491 HomeDirectory attribute hard links enabling FileVault for users, 261 drop-box folder, 107 honeypots, 496–497 security issues, 107–108 hops hard quotas, 562 moving packets, 278, 284 hardening security, 49 host intrusion detection, 493–494 hardware appliance firewall, 299 Host_Alias, sudoers file, 70, 73 hardware filtering, AirPort, 334–336 syntax of sudoers file, 74 hash directory, 66 hosts hash files blocking based on robots.txt, 387–388 ntlm hash type, 66 hot corners ShadowHash authentication, 65, 66 Exposé application assigning, 10 hash functions, cryptographic, 574 hot sites, backups, 534 Hash Methods options htaccess file, 388–391 Open Directory authentication, 437, 438 controlling directory access, 388, 389– hdiutil command, disk images, 251–257 391 agentpass option, 255 customizing error codes, 389 attach verb, 251, 252 password protecting Apache folder, 459 chpass verb, 254 htgroup file, 388 create verb, 253 htpasswd file, 388 creating sparse image, 253 controlling directory access, 390–391 detach verb, 253 HTTP encryption option, 253 network protocols, 278 format option, 256 port 80, 278 mountpoint option, 252 port for HTTP over TLS, 391 nobrowse option, 252 HTTP_REFERER variable owners option, 252 securing Perl scripts, 385 recover option, 255 httpd (HTTP daemon) service, 378–379 stdinpass option, 253, 255 https, SSL protection, 185 type option, 253, 255, 256 hubs, 288, 289 header, IP packets, 283 Index 593

■ acceptable use policy, 563–569 I infrared remote controls, 10 I state, ps command, 36 inheret_only flag, 93 IANA, port numbers, 300 inheritance iChat creating inherited ACEs with chmod, 106 limiting communication via, 59–61 directory_inherit permission, 93 iChat server, security, 477–478 file_inherit permission, 93 id command, 67 limit_inherit permission, 93 id_dsa/id_dsa.pub keys, SSH, 414 Make Inherited Entries Explicit, 101 identification, 49 only_inherit permission, 93 see also application identification propagating ACLs, 101 authentication, 50 propagating permissions, 100 Identity tab, DAVE Network pane, 370 inheritance category, ACEs, 93 identity theft, 183, 233 inheritance, POSIX, 84–86 iDisk data, backing up, 516 injection attacks iDisk tab, MobileMe, 516, 517 code injection, 398–399 IEEE 802.11 protocol, 326 cross-site scripting (XSS), 398–399 command SQL Injection, 398 changing MAC address, 287 input validation iKee worm, iPhone, 144 PHP, 383–384 image acquisition, MacForensicsLab, 546– securing Perl scripts, 385 548 install.log file, 114 Image Format field, Disk Utility insults flag, sudoers file, 71 encrypted disk images, 25, 246–248 integrity DVD/CD Master option, 246 application integrity, 143–144 Read/Write disk image option, 246 file system permissions, 79 Sparse bundle disk image option, Intel CDSA site, 572 247 Internet Connection tab, AirPort, 332 sparse bundles, 248–250 Internet policy, managed preferences, 449 Sparse disk image option, 247 Firewall see ipfw images Internet Sharing, 313 disk images as encrypted data stores, dangers of, 314–315 243–257 enabling, 313–314 Load images automatically option, rogue access points, 290 Firefox, 195 settings, 313 IMAP Internet Sharing service, 39 configuring Entourage to use SSL, 199 Internet tab, OS X, 305 e-mail security, 197 Internet tab, Sharing preferences, 313 using SSL, 196 intrusion detection, 492–497 network protocols, 278 host intrusion detection, 493–494 importing directory services data, 67 network intrusion detection, 494–497 Inactive Processes option, Activity Monitor, intrusion potential see network scanning 33 invisible items, Time Machine, 508 incident response plan IP (Internet Protocol) see TCP/IP reviewing logs, 134–135 IP addresses incident response, forensics, 538–539 blocking hosts based on robots.txt, 387 include_path, securing PHP, 384 client IP addresses, 314 incorrect keyword configuring multiple IP addresses, 316 items to lookout for in log files, 129 connecting names with, 277 infiltration, networks, 277 enabling Internet Sharing, 314 info command, Metasploit, 502 finding, 302 InfoSec 594 Index

fingerprinting, 487 ■ limiting DHCP scope, 334 K moving packets, 278 kdcsetup command, 448 restricting Apache access, 380 kdestroy command, 448 security through obscurity, 279 Kerberized POP, 198 spoofing, 287 Kerberos, 426–428 IP packets, 283 components, 427 IP traffic, four-layer model, 278 creating keytab files, 448 IPC (inter-process communication) DAVE client, 371 Mach IPC, 163 establishing/caching Kerberos ipfw (Internet Protocol Firewall), 317–320 connections, 448 commands, 318, 319 file sharing security, AFP, 468–469 creating pipes, dummynet, 321–322 listing tickets, 448 disabling firewalls, 305 options for securing mail password, 198 etc/ipfilter/ipfw.conf, 320 realms, 427 ipfw rules, 318–319 removing tickets from cache, 448 outgoing network traffic blocking, 317 securing from command line, 448 restricting Apache access, 380 Kerberos Version 4, 198 setting logging options per rule, 319 Kerberos Version 5 (GSSAPI), 198 shareware GUI tools for firewall, 147 kerberosautoconfig command, 427, 448 software firewall, 301 Kerberosv5 authentication authority, 65 syntax for ipfw toolkit, 317 Kerio MailServer ipfw.conf file, 320 configuring spam filter, 208–210 ipfwloggerd, 320 kernel_task process, 33, 34 iPhone kernels jail-breaking, 144 memory manager for OS X kernel, 34 malware, 144 key authentication signing/verifying applications, 153 securely automating remote rsync, 175 Ipkts field, daily.out file, 126, 127 keychain IPSec VPN client securing sensitive data, 234–243 connecting to Cisco VPN, 417 keychain access ISP (Internet service provider) signature enforcement in OS X, 145–146 blocking access to mail being sent over Keychain Access utility port 25, 200 Access Control tab, 238, 239 establishing mail provider protocol Attributes tab, 237, 238 support, 197 Certificate Assistant, 475 iStumbler, 344–346 creating secure and passwords, iTunes port, AirPort Express, 339 237–240 managing multiple keychains, 240, 241, 243 ■ options, 25, 26 J resetting password, 235 Jabber, 478 signing and verifying applications, 154 jail-breaking, iPhone, 144 SSL certificates, 197 Java plug-ins OS X security, 474 web browser attacks on Mac, 187 Keychain Minder application, 235, 236 Java, Firefox security, 195 keychain passwords, 25 JavaScript, Firefox security, 194 keychains Junk E-mail Found alert, 206 encrypted keychains, 25–26 junk mail see spam FileVaultMaster keychain, 263, 264 global keychain, 237 login keychain, 234–237 Index 595

creating secure notes and transport layer, 278 passwords, 237–240 LDAP (Lightweight Directory Access resetting password, 235–236 Protocol), 425–426 managing multiple keychains, 240–243 enforcing managed preferences on System keychain, 237 systems, 452, 453 keys LDAP, securing cracking WEP keys, 347–348 enabling SSL, 431–432 establishing SSH key, 420 implementing custom LDAP ACLs, 444 Exposé application assigning, 10 preventing anonymous binding, 439–441 generateduid key, 65 ldapsearch command, 444 symmetric-key cryptography, 573, 574 legacy Windows systems keywords enabling Open Directory server as PDC, items to lookout for in log files, 129 453 kill command, 4, 42 Leopard killall command, 42 account types, 51, 53 Kind column, Activity Monitor, 35 binding clients to Open Directory, 441, kinit command, 448 442 KisMAC, 342–344 choosing directory service to configure rogue access points, 343 in, 443 klist command, 448 configuring security service in, 443 kSBXProfileNoWrite profile granular control of managed settings, 63 seatbelt framework, 179, 180 ipfw program, 317 ktlist command mandatory access control (MAC), 157 file sharing security, Samba, 470 parental controls, 56, 58 quarantine function, Launch Services, 219 ■ L sandbox, 156, 158 seatbelt access control, 157 l () type, POSIX, 83 working with firewalls in, 304–307 L2TP-based VPN, 415 library logs, 124 setting up, 415–416 Library/Logs folder LAN Manager, 437 reviewing library logs, 124 Authentication Level setting, DAVE reviewing user-specific logs, 121 Network preferences, 371 Lightweight Directory Access Protocol see LANMAN, SMB authentication, 371 LDAP Latest Threats web site, 221 Limit directive, CUPS, 20 lattice, MAC, 374 limit_inherit permission, 93 LaunchAgents service, 44 Lingon tool, 44–45 launchctl command link aggregation, 291 stopping daemons, 43 link keyword, mtree, 110 launchd daemon, 33, 34 link layer, 279 GUI tools for managing, 44–45 links, hidden, 387 logging data, 122 list permission, folders, 92 starting/stopping ALF, 312 listeners, ports, 278 types of launchd services, 44 LKDC, 355 LaunchDaemons service, 44 lladdr option, ifconfig, 287 launchd-user.conf file Load images automatically option, Firefox, applying new umask value, 86 195 layers, link/physical, 279 load verb, launchd, 312 layers, protocols, 277 load-balancing devices, 533 application layer, 278 loaders four-layer model, 278 596 Index

virus , 143 Log out option, Security preferences, 10 local administrative accounts, 68 log_host/log_year flags, sudoers file, 71 local directory services, 65–69, 425 logging creating second local directory node, 68 file sharing security, AFP, 469–470 ds prefixed commands, 66–67 ipfwloggerd, 320 ShadowHash authentication, 66 setting options per ipfw rule, 319 localhome option, dsconfigad command, Logging & SNMP tab, AirPort, 336 457 logic bombs, 214, 215 Location directive, CUPS, 19 logical unit number (LUN), 560 location services login accounting Disable Location Services option, 10 monthly.out log file, 129 locked-down process, sandbox, 162 Login Items tab, Accounts pane, 45, 46 log files login keychains, 234–237 AirPort logging, 336–337 creating secure notes and passwords, appfirewall.log, 120–121 237–240 archiving, 125 encrypting user data, FileVault, 258 brute force password attempts, 120 Keychain Minder application, 235, 236 changing location, 379 managing multiple keychains, 240–243 command-line logs, 123 resetting password, 235–236 copying data from, 117 security risks, 237 daily.out log file, 126–127 login options DiskRecording.log, 122 changing what runs at login, 45–46 DiskUtility.log, 121 disabling automatic login option, 9 finding, 118–121 keychain passwords, 25 flags defining privileges in sudoers file, Mac OS X security, 6–8 71 Remote Login service, 39 identifying who ran programs, 120 Login Options, Accounts preferences, 6 information in, 113–115 enabling root user, 6 items to lookout for in, 129 removing administrative access, 8 launchd daemon logging data, 122 Show Password Hints option, 7 library logs, 124 Login policy, managed preferences, 449, Library/Logs folder, 121 452 maintenance logs, 124–129 logins marking, 116–117 DAVE Login preference pane, 369 monthly.out log file, 129 Disable Login Passwords options, 433 newsyslog, 125 logout option, 10 periodic.conf file, 125 logs see log files reviewing, 133–135 Logs tab, parental controls, 62 accountability, 133–134 Logs window, Console, 116 incident response plan, 134–135 logsentry, 130 sandbox declarations, 161 LUN (logical unit number) searching, 117–118 Xsan, 560 secure.log, 119–120, 125 system.log, 125 user-specific logs, 121–122 ■ M value and importance of, 113 Mac viewing, 115–116 as carriers of malware, 216 large log files, 117 Back to My Mac feature, 404–405 weekly.out log file, 128 classifying malware, 213–216 Windows methods to log events, 130– macro viruses, 216 133 security auditing, 497–504 Index 597

simultaneous access to shared storage, Server Admin console, 211 559 services, 30 threat of malware on Mac, 216–217 signature enforcement in, 144–152 web browser attacks on, 187 Sophos Anti-Virus for, 226–227 MAC (mandatory access control), 157, 374 stopping processes, 41 MAC address, 290, 334 suid/sguid bits, 87 changing, 287 Mac OS X Client security see firewalls filtering, 290, 334–336 Mac OS X security identifying, 335 see also security spoofing, 287 accounts, 4–6 MAC filtration, enabling, 335 Bluetooth security, 16–18 Mac OS customizing system preferences, 4 application bundles, 31 encrypted disk images, 24–25 file permissions, 80–81 encrypted keychains, 25–26 hard links security issues, 108 list of best practices, 27 POSIX permissions, 80 login options, 6–8 viewing daemons running on, 38–39 out of the box default settings, 3 viewing processes running on, 31–40 printer security, 18–20 Activity Monitor, 31–35 root account, 69 ps command, 35–36 Secure Empty Trash feature, 23–24 top command, 36–38 securely erasing disks, 21–23 viewing services available, 39–40 security preferences, 9–14 Mac OS X, 50 Software Update preference pane, 14– account types, 51–53 16 access control entries (ACEs), 80, 91–94 using strong passwords, 4 access control lists (ACLs), 80, 91–97 Mac OS X Server antivirus software, 219 antispam tools, 210–211 application firewall, 147–149 ClamAV antispam tool, 210 authorization, 49 SpamAssassin tool, 210 Automator, 217 Mac OS X Server security, 423 default umask value, 85 see also security discovery tool for, 344 directory services, 425–428 file security, 354–357 DNS, 473 LKDC, 355 file sharing, 463–471 POSIX permissions, 355–356 iChat server, 477–478 Firefox and Mac OS X standards, 196 Kerberos, 426–428 firewall, 299 LDAP, 425–426 hard links security issues, 107–108 limiting access to services, 423–424 Mach microkernel, 163 Open Directory, 428–458 maintenance scripts, 125 proxy service, 480–481 Managed Client OS X (MCX), 149–152 root user, 425 managing ACLs on server, 97–103 Secure Shell (SSH), 475–477 memory manager for kernel, 34 securing Mail server, 478–480 not automatically registering/mounting server admin from command line, 477 drives, 75 SSL certificates, 474–475 out of the box user/group, 81 web server security, 459–462 password reset utility, 11 wireless security using RADIUS, 471– permissions problems, 81 473 POSIX permissions, 81–91 MacForensicsLab, 539–556 protecting other computers, 313–315 see also computer forensics sandbox profiles, 159 Acquire feature, 546–548 598 Index

Analyze screen, 548–551 establishing mail provider support for, Audit screen, 554 197 browsing drive contents, 549 IMAP, 196, 197 case details, 543 POP, 196, 197 Cases screen, 542, 543 SMTP, 196 checksum, 546 Mail server, securing, 478–480 creating image of unaltered evidence, mail servers 544 Kerio MailServer, 208–210 Database toolbar item, 540 limiting protocols on, 479 database, creating, 541 solutions for spam and viruses, 207–212 disabling disk arbitration, 544 mail_xyz flags, sudoers file, 71 Examiners screen, 541 Mail.app examiners, creating, 542 e-mail security, 196 File Types to Include screen, 553 maintenance logs, 124–129 Free Space Only check box, 552 daily.out log file, 126–127 golden master, 546 monthly.out log file, 129 image acquisition, 546–548 weekly.out log file, 128 main screen, 545–546 maintenance scripts Packet Size feature, 547 Mac OS X, 125 reviewing case, 554–555 running with Yasu, 127–128 Salvage screen, 551–553 Make Inherited Entries Explicit option Search for Embedded Files check box, propagating ACLs, 101, 102 552 malware, 213 Search window, 550, 551 adware, 228 Secure Empty Trash operation, 551 antivirus software, 218–228 setting up, 539–544 backdoors, 214, 216 setting up e-mail alerts, 544 best practices for combating, 227–228 smeared images, 546 classifying threats, 213–216 Write Report option, 555–556 configuring firewalls, 303 Mach IPC, 163 iPhone, 144 Mach-O logic bombs, 214, 215 launching non-Mach-O Carbon-based macro viruses, 215, 216 application, 160 Macs as carriers of, 216 MacLockPick, 556 retrovirus, 215, 216 MacOSXServerUpdCombo10.6.2.dmg, 244 rootkits, 216, 230–231 MacQuisition, 556 script malware attacks, 217–218 macro viruses, 215, 216 socially engineered malware, 218 preventing infection of Mac by, 217 spyware, 228–229 macros, 215 threat of malware on Mac, 216–217 Macs see Mac Trojan horses, 214, 215 MacScan, 229 virus files to test system, 228 MacStumbler, 346 virus replication, 143 magic triangle, setting up, 458 viruses, 213, 215 Mail worms, 214, 215 authentication settings, 199 zombies, 215, 216 filtering Apple Mail for spam, 203–204 Managed Client OS X see MCX limiting communication via, 59–61 managed preferences, 449–453 port settings for SSL, 197 Applications policy, 449, 451 mail protocols Classic policy, 449 authenticating protocols, 197 Dock policy, 449 e-mail security, 196 Index 599

enforcing on systems using Active tool, 149–152 Directory, 452 mcxxyz options, dscl command, 451 enhanced security for, 451–453 MD5 (Message Digest 5), 198 Finder policy, 449, 452 md5digest keyword, mtree, 109 Internet policy, 449 mDNS, 301 Login policy, 449, 452 Media policy, managed preferences, 449 MCX files, 450 Media Set creation screen, Retrospect, 521, Media policy, 449 522 Mobility policy, 450, 452 Media Verification option, Retrospect, 527 Network policy, 450, 452 media verification, Retrospect, 528 Parental Controls policy, 452 Melissa worm, 216 Printing policy, 450, 452 MEM column, ps command, 36 Software Update policy, 450 memory management, OS X kernel, 34 System Preferences policy, 450, 452 Message Digest 5 (MD5), 198 policy, 450 metadata, Xsan, 560–561 viewing, 451 Metasploit, 501–503 managed switches, 289–291 commands, 502 administrator concerns, 291 exploits, 503 MAC address filtering, 290 payloads, 503 manufacturer features, 291 targets, 503 rogue access points, 290 Microsoft Challenge Access Protocol (MS- VLAN (virtual LAN) support, 289 CHAPv2), 438 mandatory access control see MAC Microsoft event IDs, Event Viewer, 131 man-in-the-middle attacks, 288 Microsoft Office for Windows 802.1x protocol, 293 macro viruses attacking, 217 digital signing for SMB, 371 Mobile Access server, 480 Ettercap, 347 Mobile Accounts file sharing security, NFS, 466 external accounts, 68 securing Open Directory, 436 mobile option, dsconfigad command, 457 securing Perl scripts, 385 MobileMe mapping drives within Windows, 456 Account tab, 514 masks Back to My Mac tab, 405 pipe masks, 322–323 creating offsite copy of critical data, Master Boot Record (MBR) partition map, 513–517 250 iDisk tab, 516, 517 master password managing multiple keychains, 241 FileVault, 263–264 manually syncing, 516 Set Master Password button, 12 sign-in screen, 514 Master Password dialog box, Firefox, 193 Sync tab, 515 Master Password feature, Timbuktu Pro, syncronizing data, 515–516 411 Mobility policy master password, Firefox managed preferences, 450, 452 saving passwords, 192–194 mod_rewrite module setting master password, 193 blocking hosts based on robots.txt, 388 Use master password option, 192 mod_security, scripts, 384 McAfee VirusScan, 220 mode keyword, mtree, 109 MCX (Managed Client OS X), 149–152 modes (access levels), POSIX, 82–84 configuring application white listing, 150 bit-flag system, 83, 84 enabling FileVault for users, 261, 262 execute mode, 82, 83 managed preferences, files, 450 read mode, 82, 83 restricting applications with, 150 write mode, 82 600 Index

modules nessusd daemon, 497 disabling unnecessary services in NeST commands, 439 Apache, 382 NetBIOS name, 367 reviewing safety of, 382 file sharing security, Samba, 470 monthly.out log file, 129 Netgear MA-111 USB adapter, 343 mount command, 75, 538 NetNanny forensics, 558 limiting access to web sites, 58 options, 75 network access control, 290 mount points network adapters, 315 securing, 74–75 Network Address Translation see NAT mounting disk image network administrators attach verb, hdiutil command, 251 configuring Safari security preferences, automating for backups, 252 189 POSIX permissions, 252 network authentication mountpoint option, hdiutil command Kerberos, 426 interfacing with disk images, 252 network backups MREGS column, top command, 37 Time Machine, 511–512 mtree network enumeration, 488 auditing file system permissions, 109– Network field, daily.out file, 126 111 see NFS flags, 110 network homes, setting up keywords, 109 Active Directory clients, 456–457 MTU field, daily.out file, 126 network intrusion detection, 494–497 multiple keychains, managing, 240–243 honeypots, 496–497 multiuser operating systems snort, from command line, 494–496 Mac OS X and Firefox, 196 network layers, moving packets, 278 Mac OS X security, 4, 50 Network policy My Processes option, Activity Monitor, 32 managed preferences, 450, 452 MyDoom worm, 216 Network preference pane configuring multiple IP addresses, 316 configuring PPTP-based VPN, 416 ■ N network protocols AFP, 357–359 namespace option, dsconfigad, 457 Samba (SMB), 359–362 NAT (Network Address Translation), 279 network scanning enabling firewall, AirPort, 332 active scanning, 486 network structure impacting security black-box testing, 486 level, 341 enumeration, 488 NAT tab, AirPort Utility fingerprinting, 486–488 configuring port mappings, 333 half scan, 491 directing web traffic, 333 KisMAC, 342 Native tab, MacForensicsLab, 549 nmap, 489–491 nbits, 348 other nmap scans, 492 Nessus, 497–501 passive scanning, 486 defining policy, 499 port scanning, 488 defining targets, 500 scanning options, 490 reviewing report, 501 scanning techniques, 485–492 running scan, 500 stealth scanning, 491 scanning policy, 499 SYN scan, 489 starting Nessus server, 498 SYN/stealth scan, 491–492 Nessus Attack Scripting Language (NSAL), TCP connect scan, 489 497 Index 601

vulnerability scanning, 489–492 routers, 284 white-box testing, 485 routing, 283–285 network security securing computer-to-computer see also security networks, 340–341 802.1x protocol, 292–293 securing, incoming ports, 278 creating closed network, AirPort, 337, stateful packet inspection (SPI), 287–288 338 spoofing, 287 hardware filtering, 334–336 subnets, 286 InfoSec acceptable use policy, 567 switches, 289 security through obscurity, 279 types of, 280–282 network services, 300–301 virtual private network (VPN), 414–422 Apple Filing Protocol (AFP), 300 wireless networks, 325–327 configuring firewalls, 303 Newsham 21-bit attack, 343 controlling services, 301–304 newsyslog, 125 disabling, 302 NFS (network file system) enabling, 301 file sharing security, OS X Server, 465– listing by name not port numbers, 302 466 restricting network services, 291–292 NFS shares, 94 when to enable and dangers, 303 NFSHomeDirectory attribute, 261, 465 Network Time Protocol (NTP), 427 Nimda worm, 216 network traffic nmap, 489–491 outgoing, 300, 302, 315, 316, 317, 319 other nmap scans, 492 queues, 323 nobrowse option, hdiutil, 252 routes, 300 Nointernet sandbox profile, 160 throttling, 321 Nonet sandbox profile, 160 Network Utility NOPASSWD tag, sudoers file, 74 naming conventions for network normal.dot file interfaces, 318 macro viruses attacking, 217 testing firewalls, 310–311 Norton AntiVirus, 220–221 whois lookup, 487 notes, secure Whois tab, 393, 394 login keychain creating, 239–240 network volume Nowrite sandbox profile, 160 Time Machine backups, 511–512 NSUmask, 77, 86 networks, 277 NTLM client-server networks, 282, 354 options for securing mail password, 198 communication over public networks, NTLM hash 401 managing multiple keychains, 242 data packet encryption, 288 ntlm hash type, 66 DAVE Network preferences, 370 NTLMv1/NTLMv2 deep packet inspection, 288 Open Directory authentication, 437 DMZ (demilitarized zone), 286 SMB authentication, 371 gateways, 283 NTP (Network Time Protocol), 427 hubs, 288, 289 Mac OS X protecting other computers, 313–315 ■ O managed switches, 289–291 o flag, mount command, 75 peer-to-peer (P2P), 280–282, 354 Observe setting, Remote Management, 407 protocols, 300 OD see Open Directory proxy servers, 293–294 ODSAgent service, 38 proxy services, Squid configuring, 295– one-time passwords, 50 297 online accounts 602 Index

using strong passwords, 184 orphaned packets, wireless networks, 350 only_inherit permission, 93 OS X see Mac OS X Open and Quit Applications setting, Remote OS X Server security see Mac OS X Server Management, 407 security Open Directory, 425, 428–458 OSX.Leap.A worm, 214, 221 Active Directory integration, 454–458 Other User Processes option, Activity binding Mac clients into both Monitor, 33 directory structures, 458 owner, POSIX permissions, 104, 355 dual directory, 458 owners option, hdiutil command, 252 setting up network homes with AD ownership clients, 456–457 Change Ownership access right, 91 using AD-Plugin, 455–456, 457 multiuser operating systems, 50 configuring, 430–431 creating groups, 446–447 creating users, 444–446 ■ P enabling Open Directory server as PDC, P2P networks see peer-to-peer 453 packet reinjection, 343 granular control of user access, 63 Packet Size feature, MacForensicsLab, 547 Kerberos, 428 packetencrypt option, dsconfigad, 457 LDAP, 426 packets, 278, 283 enabling SSL, 431–432 data, 283 implementing custom LDAP ACLs, data packet encryption, 288 444 datagrams, 283 preventing anonymous binding, 439– deep packet inspection, 288 441 Ethernet protocol, 283 Mac OS X Server security, 428–458 header, 283 managed preferences, 449–453 interception on wireless networks, 326 promoting to replica, 425 IP packets, 283 providing directory services for Windows MAC address filtering, 290 clients, 453–454 moving, 278 securely binding clients to, 441–443 orphaned packets, 350 securing accounts by enabling password securing Open Directory, 436 policies, 432–435 stateful packet inspection, 287–288 securing authentication with packetsign option, dsconfigad, 457 PasswordServer, 437–439 PAMs (pluggable authentication modules), securing Kerberos from command line, 50 448 parent process, 30 securing using binding policies, 435–437 Parent tab, SquidMan utility, 296 setting up, 428–429 parental controls SSL certificates, OS X security, 474 restricting application access, 152 Open Directory master, 426, 427, 428, 430, setting up, 56–62 431, 440, 442, 443, 445 Parental Controls policy, 452 open relay, 478 Parental Controls preference pane open_basedir directive, PHP, 384 controlling use of Finder, 56 OpenLDAP, 426 copying Parental Controls settings, 62– openssl command, forensics, 558 63 OpenSSL tool, 391 enabling Parental Controls feature, 56 Opkts field, daily.out file, 127 limiting access to web sites, 58–59 options directive limiting communication via iChat and securing directory listings, 397 Mail, 59–61 Options tab, Retrospect, 526, 527 Logs tab, 62 Index 603

restricting access to applications, 57 use of special characters in, 184 setting time limits for access, 61–62 user changing password on disk images, setting up parental controls, 56 254 Partitions field, Disk Utility, 250 using same password for all services, passinterval option, dsconfigad, 457 360 passive scanning, 486 using strong passwords, 4, 184 passphrases, securing SSH, 413, 414 Passwords Must options PASSWD tag, sudoers file, 74 securing Open Directory accounts, 433 Password passwords, Firefox options for securing mail password, 198 viewing saved passwords, 194 Password Assistant PasswordServer, 426 setting passwords, 5, 6 securing authentication with, 437–439 using strong passwords, 4 paste issues, troubleshooting, 43 password policies pasteboard (pboard) process, 43 securing Open Directory accounts by PASV mode, FTP, 374 enabling, 432–435 PASV theft attack, 374 password protection, realms, 459, 460 patches Password quality meter Software Update preference pane, 14 Master Password dialog, Firefox, 194 path_info flag, sudoers file, 71 password reset utility, 11 payload, worms, 214 password-based authentication, SSH, 413 payloads, Metasploit, 503 passwordless authentication pboard process, 43 Carbon Copy Cloner (CCC), 172 PCMCIA cards, 343 public-key-encryption, 174 PDA securely automating remote rsync, 174 Bluetooth-PDA-Sync, 18 passwordless ssh authentication, 174 PDC (primary domain controller), 453 passwords creating Windows PDC, 454 bad password attempts peer-to-peer (P2P) networks, 280–282, 354 accountability for reviewing logs, 134 copyrighted material, 281 brute force guessing, 120 penetration testing, 489 controlling directory access, 390 performance DAVE Login preference pane, 369 browser plug-in issues with, 187 Disable automatic login option, 9 Performance counters, Windows, 132, 133 Disable Login Passwords options, 433 performance monitors encrypted keychains, 25 dsperfmonitor command, 67 encryption as security for, 184 periodic command, 125 Firefox, saving passwords in, 192–194 periodic scripts, 125 InfoSec acceptable use policy, 565 accountability for reviewing logs, 134 keychain passwords, 25 daily.out log file, 126–127 login keychain creating, 237–239 monthly.out log file, 129 options for securing mail password, 198 running with Yasu, 127–128 Require password option, 9 weekly.out log file, 128 unlocking System Preferences, 10 periodic.conf file, 125 securing Open Directory, 433, 436 Perl self-service password reset, 11 enabling/disabling, 382 Set Master Password button, 12 web site security, 385–386 setting, 4 permission models ShadowHash authentication, 65 file sharing, 374–375 Show Password Hints option, 7 permissions SSL protection, 185 403 error code, 389 usability and user security, 50 604 Index

access control lists (ACLs), 91–97, 356– pipe masks, 322–323 357 pipes managing on OS X server, 97–103 creating, dummynet, 321–322 access rights, ACL, 91–93 queues, 323, 324 see also under ACLs PKE (Public Key Encryption) administering, 97–103 user changing password on disk images, alpha/decimal/binary formats, 84 254 chown and chmod managing, 104–107 pkg packages, 249 creating files with, 77–78 PKI (Public Key Infrastructure) determining default on new files, 85 signing and verifying applications, 153 directory_inherit permission, 93 plausible deniability, 271 Effective Permissions tool, 102, 103 plist files see (.plist) files file system permissions, 79 pluggable authentication modules (PAMs), file_inherit permission, 93 50 Finder managing, 103–104 plug-ins htaccess/htgroup/htpasswd files, 388 AD-Plug-in, 454, 455–456 indicating ACEs exist, 96 browser performance issues, 187 limit_inherit permission, 93 disabling plug-ins, 499 Mac OS, 80–81 web browser attacks on Mac, 187 mapping ACE permissions, 99 web browser security, 188 mtree auditing file system permissions, PoE (Power over Ethernet), 290 109–111 policies only_inherit permission, 93 configuring, 449 POSIX permissions, 81–91, 355–356 creating Open Directory users/groups, problem with 644 permission, 85 446, 447 propagating, 100 defining policy, Nessus, 499 readextattr permission, 92 managed preferences, 449–453 securing files on web server, 396 scanning policy, Nessus, 499 Show Effective Permissions Inspector, securing Open Directory accounts, 432– 102 435 Xsan, 561 securing Open Directory services, 435– Personal File/Web Sharing 437 when to enable and dangers, 303 Policies tab, DAVE Network pane, 370, 371, PGP Desktop 372 desktop solutions for securing e-mail, POP 207 configuring Entourage to use SSL, 199 PGP Encryption, 269–270 e-mail security, 196, 197 phishing Kerberized POP, 198 spear phishing, 184 network protocols, 278 PHP, enabling/disabling, 382 POP3 PHP:Hypertext Preprocessor (PHP) Authenticated POP, 198 input validation, 383–384 pop-ups, Firefox security, 194 securing PHP, 383 pop-ups, Safari security, 185 web site security, 382–384 Block Pop-Up Windows option, 186 physical layer, 279 disabling Flash pop-ups, 186 PID (Process ID), 33 port 1179, 304 Activity Monitor, 34 port 161, 303 kernel_task process, 33 port 162, 303 launchd daemon, 33 port 21, 303 other processes, 34 port 22, 303, 475 ps command, 35 port 25, 300 Index 605

blocking access to mail, 200 alpha/decimal/binary formats, 84 port management, 285 changing group using chgrp, 104 port 4111, 304 changing ownership using chown, 104 port 443 Discretionary Access Controls, 156 e-mail security using SSL, 196 education example, 88–90 HTTP over TLS, 391 execute mode, 82, 83 web site security, 381, 462 Finder managing permissions, 103 port 5353 inheritance, 84–86 mDNS responder, 301 managing permissions with chmod, 105– port 548, 303 106 Apple Filing Protocol (AFP), 301 modes (access levels), 82–84 port 5900, 303 bit-flag system, 83, 84 port 80, 278, 300, 303 modifying with Server Admin, 98 httpd daemon listening, 379 mounted/encrypted disk images, 252 redirecting traffic, 333, 380 mounting disk image in Finder, 250 telnet application connecting to, 395 read mode, 82, 83 port 8080, 300 sticky bit, 87, 356 port forwarding, AirPort, 333 suid/sguid bits, 87–88 port management, 285–286 write mode, 82 port mappings, AirPort, 333 Power over Ethernet (PoE), 290 port numbers, 300 PPP listing services by name not, 302 combining with SSH as VPN link, 419, moving packets, 278 422 port scanning setting up, 421–422 fingerprinting, 488 pppd daemon, 419, 420, 421 InfoSec acceptable use policy, 567 PPTP (Point-to-Point Tunneling Protocol), stroke utility, 311 438 testing firewalls, 310, 311 PPTP-based VPN, 415 ports, 278 setting up, 416–417 commonly used ports, 300 preferences, managed, 449–453 e-mail security using SSL, 196 preferred option, dsconfigad, 457 filtered port, 491 prefs.js file iTunes, AirPort Express, 339 Mac OS X and Firefox, 196 link aggregation, 291 pre-shared key authentication, 175 listeners, 278 primary domain controller see PDC listing services by name not port principal, Kerberos, 427 numbers, 302 Print & Fax preference pane, 18 MAC address filtering, 290 printer security, 18–20 Mail port settings for SSL, 197 Limit directive, CUPS, 20 opening and closing, 301 Location directive, CUPS, 19 priority tagging, 290 Printer Sharing service, 39 protocol traffic, 300 when to enable and dangers, 304 redirecting traffic to different ports, 333 printers, 18 redirecting traffic to nonstandard ports, Printing policy, 450, 452 380 priority tagging, 290 running on nonstandard port, 380 privacy securing networks, 278 Firefox, 190–192 spanning tree, 290 Clear Recent History option, 191 utilization for services, 278 clearing private data, 191 POSIX permissions, 80, 81–91, 355–356 information, web site security, 392–396 access levels, 80 606 Index

protecting information from Google, programs, 29 394–395 proof-of-concept attack, 325 Safari, 188–189 Propagate Permissions option Privacy icon, Firefox security, 190, 191 propagating permissions, 100 private key property list (.plist) files signing and verifying applications, 153 authentication_authority key, 65 user changing password on disk images, editing, 77, 78 254 Mac OS X and Firefox, 196 private/var/log directory managing data from, 66 finding log files, 118 storage of user/group accounts, 65 privilege blocks Property List Editor, 77, 78 sandbox profiles, 167, 168 proto mask, pipes, 322 privilege-escalation vulnerability, 166 protocol support, ACLs, 94 privileges protocols, 357 add_file privilege, 92 see also mail protocols defining custom privilege sets, 99, 100 802.1x protocol, 292–293 delete privilege, 93 AFP, 357–359 readattr privilege, 92 AirPort encryption, 327 readsecurity privilege, 92 DNS, 277 Show options, Activity Monitor, 31 Ethernet, 283 writesecurity privilege, 91 FTP, 372–374 Process Name column, Activity Monitor, 34 HTTP, 278 processes, 30 IMAP, 278 Activity Monitor analyzing, 50, 51 ipfw, 317 All Processes options, 32 Kerberos, 426–428 diskarbitrationd process, 43 L2TP, 415 hidden processes, 301 layers, 277 kernel_task, 33, 34 LDAP, 425–426 launchd daemon, 33 limiting protocols on server, 479 pboard process, 43 network services, 300 RAM used, 35 networks, 300 Show options, Activity Monitor, 31, 33 POP, 278 stopping, 41–42 POP3, 198 stopping daemons, 43–44 PPTP, 416 stopping wrong process, 41 Samba (SMB), 359–362 viewing daemons running on Mac, 38–39 SMTP, 278 viewing processes running on Mac, 31– TCP/IP, 277–279 40 UDP, 277 Activity Monitor, 31–35 VPN, 415 ps command, 35–36 WEP, 327 top command, 36–38 WPA2, 327 processor services, 39 WPA2 Enterprise, 327 profanity provider services, 39 Hide Profanity in Dictionary option, 57 proxy servers, 293–294 profiles securing web servers, 381 backup.sb profile, 177 Squid, configuring proxy servers, 295– base.sb profile, 167–170 297 kSBXProfileNoWrite profile, 179, 180 SquidMan utility, 296 Mac OS X and Firefox, 196 proxy service Sandbox profiles, 158–178 Mac OS X Server security, 480–481 shell.sb profile, 170–171 PRTS column, top command, 37 Index 607

ps command Activity Monitor utility, 35 %MEM column, 35–36 ps command, 36 a option, 35 RavMonE.exe, 216 action before using, 31 RBAC (role-based access control), 374 CMD column, 35 Read & Write permission, ACE, 99 Process ID (PID), 35 Read access right, ACEs, 92 RAM used, 36 Read Attribute access right, 92 STAT (state) column, 36 Read Ext Attribute access right, 92 TIME column, 35 read mode, POSIX permissions, 82, 83 TTY column, 35 alpha/decimal/binary formats, 84 u option, 35 file sharing, 355 viewing output one screen at a time, 36 Read Only permission, ACE, 99 x option, 35 read permission, files, 92 pty-redir tool, 421 Read Permissions access right, 92 public key, 153, 172, 174 readattr privilege, 92 Public Key Infrastructure (PKI), 153 making files/directories invisible, 105 public/private key pairs, SSH, 413 readextattr permission, 92 public-key algorithms, 575 Read/Write disk image option, Disk Utility, public-key cryptography, 574, 575 246 public-key-encryption, 174 read-permissions category, ACEs, 92 pure-computation sandbox profile, 160 readsecurity privilege, 92 Real Memory column, Activity Monitor, 35 realms, 438 ■ Q Kerberos, 427, 470 web server security, OS X, 459–461 queues, dummynet, 323–324 receiving options, Entourage, 199 Quicklook reclaiming space, FileVault, 264–266 generation of proxies, 248 recover option, hdiutil, 255 quit command, Metasploit, 502 Recoverable Authentication Methods Quit option, stopping processes, 41 options, 438 quotas redirection statement, Perl scripts, 385 file sharing security, OS X Server, 465 redundancy Xsan, 562 cold sites, 533 hot sites, 534 register_globals directive, PHP, 383 ■ R reload command, Metasploit, 502 r (read) permission, POSIX, 83 Remote Apple Events service, 303 alpha/decimal/binary formats, 84 Remote Authentication Dial In User Service r option, mount command, 75 see RADIUS R state, ps command, 36 remote automation RADIUS (Remote Authentication Dial In User securely automating remote rsync, 174– Service) 177 wireless security on OS X Server using, remote connectivity 471–473 Back to My Mac feature, 404–405 RADIUS server combining PPP and SSH as VPN link, safeguards against cracking wireless 419–422 networks, 349 configuring Remote Management, 405– radmind, 74 408 RAIDs remote management applications, 402– restricting access using mount points, 74 408 RAM application, 402–404 608 Index

Secure Shell (SSH), 412–414 scheduling scripts, 524, 525 Timbuktu Pro, 408–412 Select Media Sets screen, 523 virtual private network (VPN), 414–422 selecting sources to backup, 520, 521 Remote Login service, 39 Sources tab, 527 SSH, 412, 413 specifying backup destination, 521, 522 when to enable and dangers, 303 Summary screen, 524 remote management applications, 402–408 utility scripts, 527–528 Remote Management service, 39 Retrospect Backup server computer settings, 407–408 configuring Retrospect, 519 configuring, 405–408 retrovirus, 215, 216 disabling Screen Sharing, 405 reverse-domain notation, 142 options, 406–407 rights, ACL access, 91–93 setting up, 406 roaming profiles replication mapping drives within Windows, 456 disabling SSH, 476 robots.txt promoting Open Directory to replica, 425 blocking hosts based on, 387–388 viruses, 143 securing, 386–388 reports, MacForensicsLab, 555–556 rogue access points reports options, Retrospect, 530 KisMAC, 343 Require Authenticated Binding Between managed switches, 290 Directory and Clients option, 436 role-based access control (RBAC), 374 Require password options, Security roles preferences, 9, 10 communication paths, 300 Require User option configuring Open Directory, 430 Limit directive, CUPS, 20 root account requiretty flag, sudoers file, 71 dsenableroot command, 67 Reset Safari window, 188, 189 enabling root user, 6, 69 resetting passwords, 11 enabling unnecessarily, 4 Restart and Shut Down setting, Remote leaving disabled for security, 56 Management, 407 Mac OS X security, 4, 69 restoring files, Time Machine, 510–511 using SMB service, 360 restricting access see access control root kits, 285 restriction declarations, sandbox, 162 remote connectivity, 401 Retrospect, 517–529 SH.Renepo.B, 230 Add new member screen, 522, 523 root privilege adding destinations, 522 SUID applications, 75–76 Backup Assistant, 520–525 root user, 53 checking backups, 528–530 bypassing DAC model, 157 configuring backup, 519–525 disabling superuser account, 55, 56 copying media set or backup, 527, 528 enabling superuser account, 54–55 Data Compression option, 527 Mac OS X Server security, 425 Destinations tab, 527 root_sudo flag, 71 download and installation, 518–519 Rootkit Hunter, 230–231 encryption for backup destinations, 522 rootkits, 216, 230–231 grooming scripts, 525–527 rootpw flag, sudoers file, 71 Media Set creation screen, 521, 522 rotating logs media verification, 527, 528 cu.modem.log, 129 Options tab, 526, 527 Disk Utility logs, 121 reports options, 530 history files, 123 retrovirus attacks on, 215 maintenance scripts, 125 Schedule tab, 524, 525 monthly.out log file, 129 Index 609

newsyslog.conf, 125 web browser security, 185–189 system.log file, 127 disabling Flash pop-ups, 186 round-robin DNS, 532–533 pop-ups, 185, 186 routers, 284 Safari bundle, 309 DMZ (demilitarized zone), 286 Safari Forensic Tools (SFT), 557 Mac OS X filewall, 299 Safari Toolkit, 189 routes Safe Domains tab, Entourage, 205, 206 data transmission, 284 safe lists network traffic, 300 using white listing in Entourage, 205 routing, 283–285 SAINT, 503–504 combining PPP and SSH as VPN link, salvage operations 422 other applications performing, 553 enabling on base station, AirPort, 332 Salvage screen, MacForensicsLab, 551–553 firewalls, 285 Samba, 359–362 gateways, 283 see also SMB packets, 283 file sharing security, OS X Server, 470 routing tables, 284 providing password for Windows user, RPRVT column, top command, 37 361 rrset-order command smb.conf file, 361–362 round-robin DNS, 532 samba directory RSA encryption method accountability for reviewing logs, 134 establishing SSH key, 420 SAN solution providers, 562 RSHRD column, top command, 37 sandbox, 156–180 rsync granular control of managed settings in Carbon Copy Cloner (CCC), 172, 173, Leopard, 63 174 restriction declarations, 162 securely automating remote rsync, 174– seatbelt framework, 178–180 177 Sandbox profiles, 158–178 rules, firewalls, 300 accessing low-level functions, 165 Rumpus anatomy of, 161–165 limiting sftp access, 167 Apple OS X support for, 160 logging, 118, 119 backup.sb profile, 177 Runas_Alias, sudoers file, 70, 73, 74 base.sb profile, 167–170 runaspw flag, sudoers file, 71 BIND, 177–178 Carbon Copy Cloner (CCC), 172–174 conflicting access provisions, 161 ■ S declarations, 161, 162 file system access, 164 S state, ps command, 36 file-write* provisions, 164 S/MIME Certificates, 241 inline comments (;), 161 SACLs (service access control lists), 424 kSBXProfileNoWrite profile, 179, 180 disabling SSH, 476 locked-down process, 162 Safari logs, 161 installation of unwanted software, 188 Mac OS X, 159 privacy, 188–189 Mach IPC, 163 Reset Safari option, 188, 189 Nointernet, 160 Security preference tab, 185 Nonet, 160 Show Cookies button, 186 Nowrite, 160 security preferences, 187 privilege blocks, 167, 168 network administrators configuring, pure-computation, 160 189 sbshell script, 171 setting, 186–188 610 Index

securely automating remote rsync, 174– SecureDoc, 271–272 177 securely erasing disks, 21–23 shell.sb profile, 170–171 security specifying path to, 159 see also Mac OS X security; Mac OS X System Private Interface, 160 Server security; network security; using Sandbox to secure user shells, web browser security; web server 166–171 security; web site security write-tmp-only, 160 802.1x protocol, 292–293 sandbox_init function, 178, 180 Activity Monitor analyzing processes, 50 save command, Metasploit, 502 application signing, 139–156 Sawmill, 130 authentication, 49 sbshell script, 171 authorization, 49 scanning see network scanning backups, 507 scanning policy, Nessus, 499 Bluetooth security, 16–18 schedule scan preferences, ClamXav, 225 CDSA, 571–572 Schedule tab, Retrospect, 524, 525 computer forensics, 537 Scheduled Check tab, Software Update dangers of Internet Sharing, 315 preferences, 15 e-mail security, 196–202 scheduling scripts, Retrospect, 524, 525 enabling root account, 4 scp encrypted disk images, 24–25 Carbon Copy Cloner (CCC), 172, 173 encrypted keychains, 25–26 Screen Sharing application, 402–404 file security, Mac OS X, 354–357 computer settings, 404 file system permissions, 79 opening, 402 FTP, 373 selecting users, 403, 404 hard links, 107–108 setting up, 403 hardening, 49 VNC and, 402 iChat server, 477–478 Screen Sharing service, 38 identification, 49 scripting languages, 29 identity theft, 183 scripts, 29, 217 InfoSec acceptable use policy, 564 sbshell script, 171 intrusion detection, 492–497 script malware attacks, 217–218 keychain securing sensitive data, 234– Automator, 217 243 web site security, 384–386 leaving root account disabled, 56 SCSI protocol, Fibre Channel, 559 list of best practices, 27 search engines Mail server, 478–480 robots.txt denying access to, 386 Open Directory, 428–458 search permission, folders, 92 physical layer, 279 Search window, MacForensicsLab, 550, 551 printer security, 18–20 searching readsecurity privilege, 92 Execute/Search access right, 92 Sandbox, 156–180 seatbelt Secure Empty Trash feature, 23–24 framework, 178 securely erasing disks, 21–23 Snow Leopard, 157 securing web servers, 377–382 Secure Empty Trash feature, 23–24 sharing services, 20 Secure Erase Options window, 23 through obscurity, 279 secure notes usability and user security, 50 login keychain creating, 239–240 using SMB service, 360 Secure Shell see SSH wireless networks, 325–327 Secure Sockets Layer see SSL writesecurity privilege, 91 secure.log file, 119–120, 125 Xsan, 559–562 Index 611

security auditing on Mac, 497–504 sending options, Entourage, 200 Metasploit, 501–503 sensitive data Nessus, 497–501 keychain securing, 234–243 SAINT, 503–504 mtree auditing file system permissions, Security field options 109–111 securing Open Directory, 436–437 sensitivity labels, MAC, 374 security patches Sentry feature, ClamXav, 225, 226 Software Update preference pane, 14 Sentry Tools, 130 Security preference pane, 9–14 Server Admin application Disable automatic login option, 9 defining custom privilege sets, 99, 100 Disable Location Services option, 10 Effective Permissions tool, 102, 103 Disable remote control infrared receiver File Sharing tab, 98 option, 10 Make Inherited Entries Explicit, 101 enabling FileVault for users, 260 managing ACLs on OS X server, 97–103 FileVault tab, 12–13 propagating permissions, 100 Firewall tab, 13–14, 147 Show Effective Permissions Inspector, Automatically allow signed software 102 to receive connections option, 307, Server Admin console, Mac OS X, 211 308–309 see SMB Enable stealth mode option, 309–310 server security see Mac OS X Server setting advanced firewall features, security 307–310 serveradmin command, Mac OS X Server working with firewalls in Snow security, 477 Leopard, 304 servers General tab, 9–11 500 error code, 389 Log out option, 10 limiting protocols on server, 479 Require password option, 9 mail server-based solutions for spam Require password to unlock System and viruses, 207–212 Preferences option, 10 proxy servers, 293–294 Set Master Password button, 12 Squid, configuring proxy servers, Use secure virtual memory option, 10 295–297 security preferences, 9–14 securing web servers, 377–382 Entourage, 201, 202 SERVERS list Firefox setting up Open Directory, 428 about:config page, 195 server-side includes see SSIs Content tab, 194, 195 service (SRV) records, 454 Security tab, 192, 193 service access control lists see SACLs Safari, 185, 187 services, 30 network administrators configuring, see also network services 189 Active Directory, 454–458 setting security preferences, 186–188 backups, 534–535 Show Cookies button, 186 configuring firewalls, 303 security threats see malware controlling, 301–304 Select Media Sets screen, Retrospect, 523 creating, 40 Select the Interface screen, VPN, 415 daemons, 38 Selected Processes option, Activity Monitor, disabling unnecessary services in 33 Apache, 382 self-service password reset, 11 enabling third-party services, 305 self-signed certificates, 392 Finder Services menu, 40 Send Text Messages setting, Remote limiting access to services, 423–424 Management, 407 listing by name not port numbers, 302 612 Index

Open Directory, 428–458 shells port utilization, 278 reviewing command-line logs, 123 processor services, 39 using Sandbox to secure user shells, provider services, 39 166–171 sharing, 20–21 show command, ipfw, 318, 319 types of launchd services, 44 show command, Metasploit, 502 validating authenticity of, 46 Show Effective Permissions Inspector, 102 viewing services available, 39–40 Show options, Activity Monitor, 31, 32 Services tab, Server Admin Show Password Hints option, Login Options setting up Open Directory, 428–429 screen, 7 Set Master Password button, Security Show When Being Observed setting, preferences, 12 Remote Management, 407 set_home/set_logname flags, sudoers file, signature enforcement in OS X, 144–152 71 indicating application not signed, 151 setg command, Metasploit, 502 keychain access, 145–146 setgid bit, 88 Managed Client OS X (MCX), 149–152 setuid bit, 87, 88 OS X application firewall, 147–149 SFT (Safari Forensic Tools), 557 parental controls, 152 sftp, 397 signed software limiting access, 166 allowing to create connections, 308 SGID (group SUIDs), 76 signing, 153–156 sguid bit, 87–88 application signing, 139–156 SH.Renepo.B, 230 code signing, 144, 153 SHA-1 hash codesign tool, 155 managing multiple keychains, 242 indicating application not signed, 151 sha1digest keyword, mtree, 109 Keychain Access utility, 154 shadow mount Public Key Infrastructure (PKI), 153 forensically acquiring disk images, 557 Simple Authentication and Security Layer ShadowHash authentication, 65, 66 (SASL) standard, 437 Shared Folders window, 20 Single Unix Standard, version 3 (SUS3), 85 shared folders, viewing, 464 size keyword, mtree, 109 Sharing & Permissions window, Finder, 104 slapconfig command sharing accounts, 52–53 Open Directory authentication, 439 Sharing Only account, 52, 353 slapd, 426 Sharing preference pane, 20–21 configuring to refuse anonymous configuring AFP sharing, 358 connections, 440 configuring settings for, 301, 302 SMB (Server Message Block), 457 disabling firewalls, 305 see also Samba disabling network services, 302 configuring SMB Setup name in DAVE, enabling Apache 2.2 web server, 378 368 enabling Apache web server, 377 configuring SMB workgroup for DAVE, enabling FTP sharing, 372 368 enabling Internet Sharing, 313 defining SMB/Windows user, 360 enabling network services, 301 sharing data through using DAVE, 369 finding IP addresses, 302 SMB authentication, 371 turning daemons on or off in, 38 SMB signing viewing daemons running on Mac, 38 man-in-the-middle attack, 371 Sharing tab, Print & Fax preferences, 18 smb.conf file, 361–362 shell scripts smeared images, forensics, 546 script malware attacks, 217 SMTP shell.sb profile, 170–171 Index 613

blocking access to mail being sent over outsourcing spam and virus filtering, 212 port 25, 200 proxy servers, 294 configuring Entourage to use SSL, 200 using mail server-based solutions for, e-mail security, 196 211–212 network protocols, 278 using strong passwords, 184 options for securing mail password, 198 using white listing in Entourage, 205–206 SMTP Relays, 479 X-Spam-Status, 203 SMTP traffic, port management, 285 SpamAssassin tool, 478 snort, from command line, 494–496 Mac OS X Server, 210 Snow Leopard spanning tree, 290 802.1x protocol, 292 Sparse bundle disk image option, Disk account types, 51, 53 Utility, 247 Finder Services menu, 40 sparse bundles, 248–250 ipfw program, 317 additional command line properties, 256 Kerberosv5 authentication authority, 65 downside of, 250 parental controls, 58 encrypting user data, FileVault, 258 running ClamXav on, 221 viewed from Finder, 249 signature matching malware, 219 Sparse disk image option, Disk Utility, 25, securely binding clients to Open 247 Directory, 441, 442 sparse image, creating services available, 39 diskutil command, 256 working with firewalls in, 304–307 hdiutil command, 253, 255, 256 social engineering, 488 sparse images social engineering attacks, 488 limitations of, FileVault, 264–266 socially engineered malware, 218 sparse-band-size key, diskutil, 257 socketfilterfw command SPARSEBUNDLE image format, diskutil, managing ALF, 312 256 soft quotas, 562 spear phishing, 184 software special characters antivirus software, 218–228 filtering user input, 399 Safari and installation of unwanted SPI (stateful packet inspection), 287–288 software, 188 Splunk, 130 vulnerability of, 167 spoofing, 287 software firewall, 299 Application Layer Firewall (ALF), 301 changes to volumes, 248 ipfw tool, 301 spyware, 228–229 Software Update policy, 450 MacScan, 229 Software Update preference pane, 14–16 SQL Injection attacks, 398 Scheduled Check tab, 15 Squid software updates, testing, 15 command-line administration, 297 Sophos Anti-Virus for Mac OS X, 226–227 configuring proxy servers, 295–297 Sources tab, Retrospect, 527 configuring with SquidMan, 295–297 spam, 202, 206 SquidMan utility, 295–297 antispam tools, 210–211 Clients tab, 296 CommuniGate Pro, 211–212 Direct tab, 296 false positives, 203, 204, 207 General tab, 295–296 filtering Apple Mail for, 203–204 installing, 295 filtering with Entourage, 204–205 Parent tab, 296 InfoSec acceptable use policy, 567, 569 preference screen settings, 295–296 Kerio MailServer, 208–210 starting and stopping, 296, 297 mail server-based solutions for, 207–212 Template tab, 296 614 Index

src-ip mask, pipes, 322 stdinpass option, hdiutil, 253, 255 src-port mask, pipes, 322 stealth mode, enabling, 309–310 Ss state, ps command, 36 stealth scanning, 491 ssh sticky bit, POSIX, 87, 356 Carbon Copy Cloner (CCC), 172 storage pools, Xsan, 560 non-standard ports, 278 StorNext, Xsan interoperability, 559 passwordless ssh authentication, 174 stream ciphers, 574 SSH (Secure Shell), 412–414 stroke utility, port scanning, 311 authentication, 413 su command, 69 combining with PPP as VPN link, 419– reviewing command-line logs, 123 422 subnet mask configuring Timbuktu security, 412 client IP addresses, 314 disabling, 476 subnets, 286 enabling, 412–413 subpath expression, sandbox, 164 id_dsa/id_dsa.pub keys, 414 sudo command, 69 Mac OS X Server security, 475–477 using ipfw, 317 passphrases, 413, 414 sudo kill command, 422 password-based authentication, 413 sudoers file, 69–74 public/private key pairs, 413 aliases, 72 Remote Login feature, 412, 413 Cmnd_Alias, 70, 73 securing, 413–414 combining PPP and SSH as VPN link, setting up, 420–421 419 $SSH_ORIGINAL_COMMAND, 176 editing, 69, 72 SSID suppression, 337 escaping characters, 73 SSIs (server-side includes), 381 flags defining privileges, 70–71 blocking hosts based on robots.txt, 387 for webscripters, 74 SSL (Secure Sockets Layer), 185 granting resource access to configuring Entourage to use, 199 users/aliases, 73 e-mail security, 196–199 Host_Alias, 70, 73 Mail port settings for, 197 location of, 69 OpenSSL tool, 391 NOPASSWD tag, 74 securing LDAP, 431–432 PASSWD tag, 74 self-signed SSL certificates, 197 pushing file to other users on network, tightening security with TLS, 391 74 use SSL on clients, 474 rules conflicting in, 74 verifying authenticity of server, 197 Runas_Alias, 70, 73 SSL certificates syntax of, 74 generating self-signed certificate, 475 User_Alias, 72 Mac OS X Server security, 474–475 wildcards, 73 reimporting, 475 SUID applications, 75–76 securely binding clients to Open listing all SUID or SGID files, 76 Directory, 442 suid bit, 87–88 securing LDAP, 431–432 SuperDuper, 512–513 web server security, OS X, 461–463 superuser see root user stacked switches, 289 SUS3 (Single Unix Standard, version 3), 85 Fibre Channel, 561 swap files, 10 staff group, Mac OS X, 81 Swatch, 130 standard user, 51 switches, 289 StartupItems tool, 45 managed switches, 289–291 STAT column, ps command, 36 rogue access points, 290 stay_setuid flag, sudoers file, 71 stacked switches, 289 Index 615

switching accounts Task Manager, Windows, 131–132 Fast User Switching, 8 TCP (Transmission Control Protocol) see symbolic link type, POSIX, 83 TCP/IP symbolic links TCP connect scan, 489 securing directory listings, 397 TCP/IP, 277–279 SymLinksIfOwnerMatch directive, 397 moving packets, 278 symmetric-key cryptography, 573, 574 ports, 278 SYN scan, 489, 491 teaming (link aggregation), 291 SYN/ACK packet, 491 Telnet, 412 SYN/stealth scan, 491–492 telnet application, 395 Sync tab, MobileMe, 515 Template tab, SquidMan utility, 296 synchronization Terminal window Bluetooth-PDA-Sync, 18 finding log files, 118 synchronized profiles opening, 31 mapping drives within Windows, 456 reviewing command-line logs, 123 syslog service option, AirPort, 336 testing syslogd daemon, 30, 115 see also network scanning System keychain, 237 firewalls, 310–311 System Preferences software updates, 15 Accounts preference pane, 4–8 text editors Bluetooth preference pane, 16–18 flags defining privileges in sudoers file, configuring VPN connection, 416 71 customizing, 4 TGT, Kerberos, 427 Print & Fax preference pane, 18 threads, 30 Security preference pane, 9–14 Threads column, Activity Monitor, 34 Sharing preference pane, 20–21 threats see malware viewing daemons running on Mac, 38 throttling Software Update preference pane, 14– address masking, 322 16 dummynet, 321 System Preferences pane ticket, Kerberos, 427 Require password to unlock option, 10 ticket, NTLMv1, 371 System Preferences policy, 450, 452 Timbuktu Pro, 408–412 System Private Interface, 160 adding new users, 409–410 System Processes option, Activity Monitor, configuring master password, 411 33 configuring maximum security options, system.log file, 125 411, 412 rotating logs, 127 configuring password rules, 410, 411 SystemStarter tool, 45 configuring services, 412 connecting to client system, 410 installing, 408 ■ T Master Password feature, 411 testing new user accounts, 410–412 t option, mount command, 75 User setup screen, 409 t permission, POSIX time sticky bit preventing deletion, 87 setting time automatically, AirPort, 331 T state, ps command, 36 Time Capsule, 512 tape libraries, backups using, 530–531 TIME column, ps command, 35 tar command, 518 time keyword, mtree, 110 targetpw flag, sudoers file, 71 time limits, setting for access, 61–62 targets Time Machine, 506–512 defining, Nessus, 500 backup security, 507 Metasploit, 503 616 Index

choosing backup device, 507 ■ device exclusions, 508 U disabling backups, 510 u option, ps command, 35 excluding directories, 510 U state, ps command, 36 invisible items, 508 UDIF image format, diskutil, 256 network volume backups, 511–512 UDP (), 277 restoring files from, 510–511 UDP traffic and subnets, 286 setting data not to be backed up, 508 UDTO image format, diskutil, 256 setting data to be backed up, 509 uid keyword, mtree, 109 viewing files not backed up by default, umask 509 applying new umask value, 86 Time Machine preference pane, 506 Mac OS X default value, 85 time synchronization, 427 NSUmask value, 86 TLS (Transport Layer Security), 185 umask command, 77 web site security, 391–392 Umask Doctor, 86 tmp folder uname keyword, mtree, 109 troubleshooting cut/copy/paste issues, UNC (universal naming convention), 456 43 underscore (_) character top command accounts beginning with, 65 action before using, 31 Universal Access policy, 450 MREGS column, 37 Universally Unique IDentifier (UUID), 65 PRTS column, 36–38 Unix files RPRVT column, 37 # character, 69 RSHRD column, 37 % character, 70 sorting output, 37 unload verb, launchd, 312 command, 284 unsetg command, Metasploit, 502 traffic shaping, 321 unsolicited messages see spam transferring files see file sharing updates transport layer, 278 Software Update preference pane, 14 Transport Layer Security see TLS Upgrade Storage feature, MobileMe, 517 trash Use a master password option, Firefox, 192 Secure Empty Trash feature, 23–24 use command, Metasploit, 502 Triple-DES, 573 Use secure virtual memory option, 10 Tripwire, 493–494 user access Trojan horses, 214, 215 controlling use of Finder, 56 virus replication, 143 copying Parental Controls settings, 62– TrueCrypt, 270–271 63 trusted applications, 312 granular control of managed settings in keychain access, 145 Leopard, 63 viewing, 312 limiting to web sites, 58–59 TrustedBSD’s MAC framework, 157 limiting communication via iChat and TTY column, ps command, 35 Mail, 59–61 tty_tickets flag, sudoers file, 71 managing, 62 Turn On FileVault button restricting with sudoers, 69–74 enabling FileVault for users, 260 restricting to applications, 57 two-tier (client-server) networks, 282, 354 securing mount points, 74–75 type keyword, mtree, 110 setting time limits for, 61–62 type option, hdiutil, 253, 255, 256 user accounts adding aliases, 64 administrative user, 51 Advanced Options, 64 generateduid key, 65 Index 617

group accounts, 53 var/log directory guest accounts, 53 finding log files, 118 hardening, 49 verbose mode, mount command, 75 hidden service users and groups, 65 verification local directory services, 65–69 application integrity, 143 root users, 53 applications, 153–156 setting up parental controls, 56–62 version command, Metasploit, 502 sharing accounts, 52–53 Vi, running commands from, 76 standard user, 51 Vipul’s Razor, 210 storage of, 65 virtual machines, backups, 509 types of, 51–53 virtual memory, 10 User Authentication screen Activity Monitor utility, 35 configuring PPTP-based VPN, 417 Use secure virtual memory option, 10 User column, Activity Monitor, 34 Virtual Network Computing see VNC user data, FileVault encrypting, 257–265 virtual private network see VPN User Datagram Protocol see UDP virus definitions, 220 user input, filtering characters, 399 virus scanner, ClamXav, 224 User Settings window, 8 viruses, 213 User setup screen, Timbuktu Pro, 409 antivirus software, 218–228 user shells, Sandbox securing, 166–171 CommuniGate Pro, 211–212 User_Alias, sudoers file, 72, 74 Elk Cloner, 216 users macro viruses, 215, 216 adding to groups, 53–54 mail server-based solutions for, 207–212 administrative users, 8 malware and, 213, 215 creating Open Directory users, 444–446 outsourcing spam and virus filtering, 212 disabling superuser account, 55, 56 replication, 143 enabling FileVault for users, 260–262 retrovirus, 215, 216 enabling root user, 6 W97M virus, 217 enabling superuser account, 54–55 VirusScan, McAfee, 220 encrypting beyond home directory, 13 visudo command, 72 Fast User Switching, 8 flags defining privileges in sudoers file, granting resource access to, 73 71 identifying who ran programs, 120 VLAN (virtual LAN) support Log out option, 10 managed switches, 289 Mac OS X security, 4 Vmirror, 562 multiple users in workgroup setting, 7 VNC (Virtual Network Computing ) multiuser operating systems, 50 Screen Sharing and, 402, 403 Other User Processes option, 33 VNC client access setting up for sudo, 73 enabling Remote Management, 408 usability and user security, 50 enabling Screen Sharing, 404 user-specific logs, 121–122 volumes UTI mechanism changes to, 248 application identification, 142 hard links security issues, 108 utility scripts, Retrospect, 527–528 restricting access using mount points, UUID (Universally Unique IDentifier), 65 74, 75 showing volumes mounted on system, 75 ■ V Xsan, 560 VPN (virtual private network), 414–422 v option, mount command, 75 adding VPN connection, 415 validation configuring routing, 422 input validation, PHP, 383–384 618 Index

disconnecting, 422 Mac OS X Server, 459–462 setting up PPP, 421–422 realms, 459–461 setting up SSH, 420–421 SSL certificates, 461–463 setting up VPN account, 419–420 securing web server, 377–382 configuring VPN connection, 416 changing log file location, 379 connecting to, 414–415 disabling CGI, 381 connecting to Cisco VPN, 417–418 disabling unnecessary services in Select the Interface screen, 415 Apache, 382 serveradminm command, 477 httpd service, 378–379 setting up L2TP, 415–416 proxy servers, 381 setting up PPTP, 416–417 replacing default web site files, 379 VPN link restricting Apache access, 380 combining PPP and SSH as, 419–422 running on nonstandard port, 380 VPN protocols, 415 web servers VPN tunnels, 398, 414, 419 enabling Apache web server, 377 vulnerability scanning, 489–492 enumerating, 395–396 Nessus, 497 securing files on, 396–398 SAINT, 503–504 Web services, OS X, turning on, 377, 378 Web Sharing box, OS X, 377, 378 Web Sharing service, 39 ■ W web site security see also security w (write) permission, POSIX, 83 code injection attacks, 398–399 alpha/decimal/binary formats, 84 controlling directory access, 388–391 problem with 644 permission, 85 cross-site scripting (XSS) attacks, 398– W97M virus, 217 399 WAPs (wireless access points), 326 enumerating web servers, 395–396 AirPort, 327–328 htaccess file, 388–391 finding access points while traveling, 346 implementing digital certificates, 392 wardriving, 337 information privacy, 392–396 safeguards against cracking wireless Perl scripts, 385–386 networks, 349 PHP, 382–384 WDS (wireless distribution system), 328 protecting information from Google, WDS network, 328 394–395 changing form of encryption, 329 replacing default web site files, 379 web browser security, 185–196 reviewing safety of module, 382 see also security scripts, 384–386 Firefox, 189–196 securing directory listings, 396–397 plug-ins, 188 securing files on web server, 396–398 Safari, 185–189 securing PHP, 383 attacks on the Mac, 187 securing robots.txt, 386–388 installation of unwanted software, securing web servers, 377–382 188 SQL Injection attacks, 398 web browsers tightening with TLS, 391–392 performance issues with plug-in, 187 web sites web hosting, 378 404 error code, 389 limiting access to, 58–59 web server security WEBDAV-Digest, 438 see also security webscripters, sudoers file for, 74 blocking hosts based on robots.txt, 387– weekly.out log file, 128 388 WEP controlling search engine access, 386 Index 619

AirPort protocols, 327 network structure impacting security WEP keys level, 341 cracking, 347–348 packet interception, 326 generation of 40-bit keys, 343 safeguards against cracking, 349–350 whatis command, 128 securing computer-to-computer When Junk Mail Arrives options, 203 networks, 340–341 white listing security issues, 325 application configuring, 150 viewing details about, 345 using in Entourage, 205–206 wireless security white-box testing, 485 on OS X Server using RADIUS, 471–473 WHOIS lookup, 392 Wireless tab, AirPort Utility, 331, 332 Network Utility performing, 487 SSID suppression, 337 querying whois databases, 488 wLAN see wireless networks Whois tab, Network Utility, 393, 394 workflows, Automator wildcards, sudoers file, 73 script malware attacks, 217 Windowed Processes option, Activity Workgroup Manager Monitor, 33 configuring policies, 449 Windows clients creating Open Directory groups, 446– providing directory services for, 453–454 447 Windows methods to log events, 130–133 creating Open Directory users, 445–446 Event Viewer, 130–131 enabling FileVault for users, 261 Performance counters, 132, 133 file sharing security, NFS, 466 Task Manager, 131–132 Managed Client OS X (MCX), 149–152 Windows Sharing managed preferences, 451 when to enable and dangers, 303 workgroup setting, multiple users in, 7 Windows users, providing password for, 361 worm worm, 216 Windows, mapping drives within, 456 worms, 214, 215 WinMagic SecureDoc, 271–272 Code Red worm, 216 WINS Server option Duh worm, 144 sharing files with AirPort, 364 iKee worm, 144 wireless access points (WAPs) Melissa worm, 216 key generation process, 343 MyDoom worm, 216 network structure impacting security Nimda worm, 216 level, 341 OSX.Leap.A worm, 214 Newsham 21-bit attack, 343 payload, 214 wireless access points see WAPs worm worm, 216 wireless distribution system see WDS WPA2, AirPort protocols, 327 wireless hacking tools, 342–347 WPA2 Enterprise, 327 EtherPeek, 347 WPA-PSK, cracking, 348–349 Ettercap, 347 Write Attributes access right, ACEs, 92 iStumbler, 344–346 write blocking, forensics, 538 KisMAC, 342–344 Write Ext Attributes access right, 92 MacStumbler, 346 write mode, POSIX permissions, 82 wireless networks, 325–327 alpha/decimal/binary formats, 84 AirPort, 327–328 file sharing, 355 client computers, 339–340 Write Only permission, ACE, 99 configuring encryption type, AirPort, 332 Write Report option, MacForensicsLab, cracking WEP keys, 347–348 555–556 cracking WPA-PSK, 348–349 Write/Add Files access right, ACEs, 92 hiding, 337–338 write-permissions category, ACEs, 92–93 IEEE 802.11 protocol, 326 writesecurity privilege, 91 620 Index

write-tmp-only sandbox profile, 160 X-Spam-Status, 203 XSS (cross-site scripting) attacks, 398–399 XSS holes, 399 ■ X x (execute) permission, POSIX, 83 alpha/decimal/binary formats, 84 ■ Y x option, ps command, 35 Yahoo Mac Forensics group, 537 Sharing service, 39 Yasu when to enable and dangers, 304 running maintenance scripts with, 127– XMPP protocol, iChat server, 478 128 Xsan yellow triangle, Firefox affinities, storage pools, 561 indicating allowed application is not configuration files, 559 signed, 151 Fibre Channel, 561 full disk encryption, 266 LUN (logical unit number), 560 ■ Z metadata, 560–561 Z state, ps command, 36 permissions, 561 Zero Out Data option quotas, 562 securely erasing disks, 22 security, 559–562 zero-day exploits, 221 storage, 560 zombies, 215, 216 storage pools, 560 zone transfers, DNS, 489 StorNext interoperability, 559 volumes, 560