OSX Hardening - Traxes/Hardening GitHub Wiki
Enable Single User Mode Authentication
Require Username and Password for Login
Set Screensaver Inactivity Interval
Require Password to Unlock Screensaver
Disable Unauthorized Administrative Access for Sessions Locked Through Screensaver
Automativally Lock Login Keychain
Change Initial Password for Login Keychain
Prevent Safari from Opening Known File Types
Set Strict Home Directory Permissions
Enable Secure Erase of Deleted Files in Trash
Implement Hard Disk Encryption
Disable Apple File Protocol (AFP)
Disable File Transfer Protocol (FTP) daemon
Disable Additional and Unnecessary Services
Set Hardened TCP/IP Kernel Parameters
Enable Network Time Synchronization via NTP
Limit IPv6 to Local Subnet/Disable IPv6
#Introduction
As no official hardening guide for Apple’s OS X Mountain Lion is available yet, ERNW has compiled the most relevant settings into this checklist. While there is a significant amount of controls that can be applied, this document is supposed to provide a solid base of hardening measures. Settings which might have severe impact on the functionality of the operating system and need a lot of further testing are not part of this checklist.
We have marked each recommended setting in this checklist either with “mandatory” or “optional” to make a clear statement, which setting is a MUST (mandatory) or a SHOULD (optional) from our point of view. “Optional” also means that we recommend to apply this setting, but there may be required functionality on the system that will become unavailable once the setting is applied.
#Authentication
##Disable Auto-login
-
Go to Security and Privacy settings in the System Preferences menu
-
Check Disable automatic login
##Enable Single User Mode Authentication
- Change secure to insecure in /etc/ttys
If the root account is disabled, booting into single user mode is not possible.
##Require Username and Password for Login
-
Go to Users & Groups settings in the System Preferences menu.
-
At Display login window as select Name and password.
##Disable Password Hints
-
Go to Users & Groups settings in the System Preferences menu.
-
Choose Login options.
-
Uncheck Show password hints.
##Set Screensaver Inactivity Interval
- Set the inactivity interval to 5min.
defaults -currentHost write com.apple.screensaver idleTime -int 300
##Require Password to Unlock Screensaver
-
Go to Security & Privacy settings in the System Preferences menu.
-
Choose tab General.
-
Check Require password […] after sleep or screen saver begins.
-
Set duration to immediately.
##Restrict Configuration
- Open the configuration file:
visudo
- Restrict usage to one single command and to the authenticated terminal only:
Defaults timestamp_timeout=0
Defaults tty_tickets1
##Disable Unauthorized Administrative Access for Sessions Locked Through Screensaver
- In /etc/authorization edit the section system.login.screensaver as follows:
<key>system.login.screensaver</key>
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The owner can unlock the screensaver.</string>
<key>rule</key>
<string>authenticate-session-owner-or-group</string>
Go to the rules section and add the following element:
<key>authenticate-session-owner-or-group</key>
<dict>
<key>allow-root</key>
<false/>
<key>class</key>
<string>user</string>
<key>comment</key>
<string>your comment</string>
<key>group</key>
<string>MAC-ADMIN-GROUP</string>
<key>session-owner</key>
<true/>
<key>shared</key>
<false/>
</dict>
#System Security
##Automativally Lock Login Keychain
-
Open Keychain Acces and select the login keychain.
-
Choose Edit → Change Settings for KeychainI “login”.
-
Set Lock after […] minutes of inactivity to 10.
-
Check Lock when sleeping.
##Change Initial Password for Login Keychain
-
Open Keychain Acces and select the login keychain.
-
Choose Edit → Change Password for Keychain “login”.
-
Set a new password different to the login password.
##Enable Automatic Updates
-
Go to App Store settings in the System Preferences menu.
-
Check Automatically check for updates .
-
Check Download newly available updates in the background.
-
Check Install app updates.
-
Check Install system data files and security updates.2
##Disable Guest Access
-
Go to Users & Groups settings in the System Preferences menu.
-
Choose the Guest User.
-
Uncheck Allow guests to login into this computer.
##Enable Gatekeeper
-
Go to System Preferences → Security & Privacy.
-
Choose tab General.
-
Set Allow applications downloaded from to Mac App Store and identified Developers.
This will prevent unsigned application bundles from being executed. This does not cover applications/binaries that are not bundles. Unsigned application bundles from trusted sources can be executed by performing a right-click on the application bundle, choose Open, and confirm the warning dialog with Open. An exception for this bundle will be generated automatically.
##Set EFI Password
Prevent unauthorized access to the EFI of the system by setting a firmware password.
- Use the Firmware Password Utility to set a firmware password.
This will require the password to be entered when booting into Single User, Verbose
or Target Disk mode as well as booting into the recovery mode (command-r).
##Disable Core Dumps
launchctl limit core 0
##Prevent Safari from Opening Known File Types
-
Launch the Safari browser application.
-
Choose Preferences.
-
Choose tab General.
-
Uncheck Open safe files after downloading.
##Set Strict Global umask
echo "umask 027" >> /etc/launchd.conf
This might break the installation of additional software that relies on a less strict umask.
##Set Strict Home Directory Permissions
chmod 700 /Users/<username>
##Enable Secure Erase of Deleted Files in Trash
-
Launch the Finder application.
-
Choose Preferences.
-
Click Advanced….
-
Check Empty Trash securely.
##Implement Hard Disk Encryption
-
Launch the System preferences application.
-
Choose Security & Privacy.
-
Click FileVault….
-
Turn FileVault on.
#Network Security
##Disable Apple File Protocol (AFP)
-
Go to System Preferences → Sharing.
-
Select File Sharing.
-
Click Options.
-
Uncheck Share files and folders using AFP.
-
Alternatively AFP can be disabled using the command line interface:
launchctl unload -w /System/Library/LaunchDaemons/AppleFileServer.plist
Disabled per default on OS X 10.8.
##Disable File Transfer Protocol (FTP) daemon
launchctl unload -w /System/Library/LaunchDaemons/ftp.plist
Disabled per default on OS X 10.8.
##Disable File Sharing
-
Go to System Preferences → Sharing.
-
Uncheck File Sharing.
##Disable Printer Sharing
-
Go to System Preferences → Sharing.
-
Uncheck Printer Sharing.
Disabled per default on OS X 10.8.
##Disable Additional and Unnecessary Services
- Disable services which are not needed or required by other applications/services.
launchctl unload -w <FullPathToPlistFile>
-
Servicefiles (Plistfiles) are located in
-
/System/Library/LaunchDaemons
-
/System/Library/LaunchAgents
-
/Library/LaunchDaemons
-
/Library/LaunchAgents
-
/Users/USERNAME/Library/LaunchDaemons
-
/Users/USERNAME/Library/LaunchAgents
-
Before disabling a service it must be ensured that its functionality is not required by other
software components or services.
##Set Hardened TCP/IP Kernel Parameters
-
Set kernel parameters in /etc/sysctl.conf:
-
net.inet.ip.fw.verbose = 1
-
net.inet.ip.fw.verbose_limit = 65535
-
net.inet.icmp.icmplim = 1024
-
net.inet.icmp.drop_redirect = 1
-
net.inet.icmp.log_redirect = 1
-
net.inet.ip.redirect = 0
-
net.inet.ip.sourceroute = 0
-
net.inet.ip.accept_sourceroute = 0
-
net.inet.icmp.bmcastecho = 0
-
net.inet.icmp.maskrepl = 0
-
net.inet.tcp.delayed_ack = 0
-
net.inet.ip.forwarding = 0
-
net.inet.tcp.strict_rfc1948 = 1
-
The system must be restarted before these changes become active.
##Enable Network Time Synchronization via NTP
-
Edit /private/etc/hostconfig and change TIMESYNC to YES.
-
Configure the desired NTP server in /private/etc/ntp.conf through a corresponding server entry.
-
Restart the NTP daemon.
launchctl load -w /System/Library/LaunchDaemons/org.ntp.ntpd.plist
##Disable Bluetooth
- Disbale Bluetooth in System Preferences → Bluetooth.
##Disable Location Services
-
Go to System Preferences → Security & Privacy.
-
Choose tab Privacy.
-
Uncheck Enable Location Services or uncheck applications which should NOT be able to access location services.
##Enable Firewall
-
Go to System Preferences → Security & Privacy.
-
Choose tab Firewall.
-
Click Turn On Firewall.
-
Click Firewall Options….
-
Check Block all incoming connections.
-
Check Automatically allow signed software to receive incoming connections only, if you’re not familiar with firewall configurations and you want to make sure, that all functionality will be available.
-
Check Enable stealth mode.
##Disable Wake-on-LAN
-
Go to System Preferences → Energy Saver
-
Choose tab Options
-
Uncheck Wake for network access.
##Limit IPv6 to Local Subnet/Disable IPv63
-
Go to System Preferences → Network.
-
For all relevant interfaces click Advanced….
-
For Configure IPv6 select Link-local only.
This will ensure that IPv6 is only used in the local subnet. If you would like to disable IPv6 completely, enter the following commands:
-
To list all network devices: networksetup –listallnetworkservices.
-
To disable IPv6 on a specific network device: networksetup -setv6off Wi-Fi
#Logging & Monitoring
##Enable BSM Audit
- Edit /etc/security/audit_control and include the following lines:
dir:/var/audit
flags:all
minfree:5
naflags:lo,aa,pc,nt
policy:cnt,argv
filesz:1G
expire-after:5G
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
- Start a new audit trail using the adjusted configuration:
audit -n
As only new processes will be audited, the system must be restarted.
#Apendix: List of Services
The following table lists service files and the corresponding functionality that should be disabled/must not be enabled unless required.
| Filename | Functionality |
|---|---|
| ftp.plist | FTP |
| smbd.plist | SMB |
| org.apache.httpd.plist | HTTP Server |
| eppc.plist | Remote Apple Events |
| com.apple.xgridagentd.plist | Xgrid |
| com.apple.xgridcontrollerd.plist | Xgrid |
| com.apple.InternetSharing.plist | Iternet Sharing |
| com.apple.dashboard.advisory.fetch.plist | Dashboard Auto-Update |
| com.apple.UserNotificationCenter.plist | User notifications |
| com.apple.RemoteDesktop.PrivilegeProxy.plist | ARD |
| com.apple.RemoteDesktop.plist | ARD |
| com.apple.IIDCAssistant.plist | iSight |
| com.apple.blued.plist | Bluetooth |
| com.apple.RemoteUI.plist | Remote Control |
1: In combination with the previous line, this option does not have any effect, yet we recommended it in case timestamp_timeout will be changed.
2: This setting only enables automatic updates for the system and system software. Updates for 3rd party software must be installed manually/in another way.
3: While IPv6 is not in use in many environments yet, we basically
recommend to gather operational and security requirements for future
deployments:
http://blog.ipspace.net/2013/05/the-dangers-of-ignoring-ipv6.html