NSA Security Guide for Mac OS X

An anonymous reader writes "The National Security Agency has just released a Security Configuration Guide for Apple Mac OS X (pdf). The guide mostly contains common sense configuration information that applies to many Unix systems. It also includes specific discussion for Apple's unique features such as Keychain and FileVault. It should be useful to most Mac OS X users and will be particularly useful for US Government organisations that use Mac OS X and for commercial IT Departments that are supporting Mac OS X. A range of other NSA Security Configuration guides for other operating systems, applications, and IT kit are also available."

Re:Lack of safety in numbers

[Scutter]

How about this [nsa.gov]? There are several linked off that NSA page besides this one.

File Vault

[dumitrius]

This is simply the encryption of the entire user's home directory. I had this enabled on my powerbook stuffed it with a few gigs of data and it ran fine for a while... maybe like 3 months. Then one day on a reboot the thing silently lost all my personal settings and dropped me into a stock desktop configuration. Was nursing this for a week or two when I started getting garbage in some source files. Was thinking maybe the hardrive was defective but have a hunch the enctyption just went haywire and was getting worse. Turning File Vault off failed with an error. Have reinstalled the os keeping a plain text home dir and things seem dandy.

Has anyone seen this before?

Re:File Vault

[eyegor]

It happened to me too.... I managed to get everything back though. There was a sparse diskimage file that contained my home directory. Once I mounted it, everything returned to normal.

Your milage may vary.

Re:File Vault

[dema]

Happened to my boss less than a month ago. Spent a long time trying to recover of lot of his shit (some very important files) and had no luck. Long sotry short, no one at work uses filt vault now (: Maybe this is something that will improve in Tiger?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:File Vault

[Anonymous Coward]

Many people had problems with it first came out. It was caused by the "recovering space" thing not completing before the user logged in again. I still don't trust Apple's default configuration since there are warnings in their own documentation against using a sparse image, which File Vault does.

I've used this hint [macosxhints.com] for over six months now without problem.

On the other hand, it's trivial to get the user's password from swap, unless Apple fixed this hole already, so there's not much point to File Vault right now.

Re:Screwed up

[AKAImBatman]

You're telling me there are no Mac users (besides myself) that can see The Mysterious Future(TM)? Very well then. Here's a preview of the next article [geektimelinux.com]. SuSE 9.2 is out. There, I said it. Now prepare something insightful to say. :-)

Re:is there a reason why the NSA won't

[jasonbowen]

I guess you haven't heard of SELinux?

What about users of other OSes?

[athanis]

How come the NSA only publishes guidelines for the MacOS? Actually, I think that with the recent onslaught of network vulnerabilities, government organizations would do well to educate the public more about security.

In fact, where I live (Hong Kong), the government had a radio show where there would be a quick tip about securing your machine. Obviously, the focus was on Windoze, but anything that elevates the awareness of the general public to computer security is a good thing.

Re:is there a reason why the NSA won't

[psyconaut]

They did, didn't they? In the form of their own Linux distribution.

http://www.nsa.gov/selinux/

If you read the source and documentation, it's quite clear what they did. Producing a "boiler-plate" security document for all Linux distributions would be futile -- there are too many variables involved.

A commercial product such as OSX is quite a bit more linear, and this easier to release a straightforward guide.

-psy

Re:What about...

[Englabenny]

Fortunately internet explorer is discontinued

Another excellent OS X security guide

[daveschroeder]

Corsaire Ltd has an excellent practical OS X security whitepaper [corsaire.com] in this same vein.

Re:Keychain Access Gripe

[MoneyT]

Well, it's not the best solution, but if you want to move your keychain from one computer to another, just open the Keychains folder in your User library (~/Library)

Keychain itself deisgned to be portable

[daveschroeder]

Apple is most certainly not tying digital identity to the computer.

Your Keychain, in ~/Library/Keychains, is perfectly portable, and designed to be moved from computer to computer, or stored on a device for storing such tokens, such as a USB flash drive.

Further, that certificates are even in your keychain at all implies that you should have access to the original source certificate files, which clearly remain portable.

And finally, rumor has it [appleinsider.com] that Tiger will include much more advanced features for managing, importing, and exporting certificates and CAs.

Re:What about users of other OSes?

[skiman1979]

um... they don't just publish guides for MacOS. NSA has security guides for other operating systems as well. Check the last link in the article summary.

Re:File Vault

[suprax]

Ditto here. Just last week I turned on FireVault and let it runs its course for like 15 minutes. Finally it said reboot but the screen was frozen. Upon rebooting the user could log in but nothing would load at all. It pretty much straight up broke. Luckily I was able to go into single user mode, and could ftp all my data off the machine before reinstalling.

No more FileVault for me. And this was Tiger (yes I know, its not even beta software but I like to test).

It's a little more complex than that

[SethJohnson]

FIle Vault is actually an encrypted file system. It mounts your user dir as a volume and accesses the data on that system via the key you create.

Yes, the nature of this architecture means that there can be zero disk corruption or you won't be able to mount it. So in a normal disk corruption setting, you would lose a few files or somthing. Having your user dir as an encrypted volume forces a sort of checksum on all the data and if even a single byte is incorrect, then the whole thing fails to mount.

It's actually a very secure method of storing your user data. Performance-wise, I've noticed that you can't use iMovie to import video files to your home dir if you're using file vault. The overhead on writing to the encrypted file system is too much for my 1.3gz powerbook. The video import is all kinds of choppy. Importing to the regular hard drive is fine, though.

Re:Guide for Linux?

[Zinho]

It doesn't look like they're maintaining a current document on Linux. Their comprehensive list of current configuration guides [nsa.gov] does not list any, in any case. I did find their list of archived guides [nsa.gov], which has a guide for Apache 1.3.3 on Red Hat 5.1 - it had the following explanation for why guides get into the archive:

NSA has developed and maintained configuration guidance for a number of products. Over time these products age, are superceded by newer versions, or are no longer used by it customers. As such, NSA may choose to discontinue maintenance and archive some of these guides.

So it looks to me like they're not supporting Linux with this program, regardless of the fact that someone else in the organisation is builing SELinux. Sounds like a classic case of right-hand not knowing what the left hand is doing...

MacOSX attacks...

[mveloso]

Attacks on MacOS X will be driven by user interaction.

The biggest problem for malware writers in MacOS X is that it's hard to remotely attack the box.

Mac OS 9 and its ilk were pretty much impossible to compromise remotely, because, well, they were designed as single-user OSs with no network services (no network daemons) installed by default.

Mac OS X isn't quite like that, but it's close. The downside is all those bsd-level things probably have holes of one sort or another. Has anyone actually checked the robustness of Apple's X-11 implementation? .

OTOH, it's must easier to get the user to click and download something. The "prompt for your admin password" thing is great, but everyone does it without thinking these days, giving any installer root access.

Once that happens, you can install anything, anywhere, and given the structure of MacOS X you can hide your stuff in places a normal user won't be able to find. The "Opener" guys (see www.macintouch.com) should have edited the rc scripts, not stuck their stuff in /Library/StartupItems.

Luckily, the web/email based attacks haven't worked so far (unlike on Windows), so you really do need to get someone to run an app. These days that isn't as hard as it used to be.

Apple could protect against that by doing a system restore/diff after every installer run. It would be useful after-the-fact, and most users may not understand any of it, but it would be nice to have. Or (assuming the metadata stuff works in tiger) you could stash metadata info on the installed files somewhere, then search across your filesystem for matching stuff?

Ideally (and this is what MS tried) each publisher would sign all their files, and that sig would be part of the file metadata. So you could list, see, and search across it. Malware would bypass that, though, but you never know.

Re:Counterintuitive...

[jerw134]

So, what exactly does accepting a cookie have to do with security? I can't seem to figure that one out.

If you would have said privacy, you could possibly have had a point. But security? No way.

Re:Mirror anyone?

[npongratz]

I'm probably stating the obvious, but here's the mirror [mirrordot.org]:
http://mirrordot.org/stories/111603fdae30 b9727bb43 2e622eff8e3/osx_client_final_v.1.pdf

It's too bad these won't last

[ubrgeek]

The NSA has decided that they don't have the resources to continue putting out new lockdown docs. They're going to let the vendors do it for them. No joke.

Re:What about...

[Yaztromo]

I don't see how simply having a centralized 'This app needs Admin access' form makes it any harder to write malware for a system, any app could trigger that function and make the request.

It is my understanding that on OS X, the authorization dialog pops up because a request to a protected reqource/API has been made, as opposed to an application being able to just randomly tell the OS to pop up an authorization dialog.

The dialog itself always displays the name (and if available icon) of the application making the request, as well as the name of the right being requested. As this is put together only by the OS, you can't substitute one right name when you really want to do something different. And getting one right doesn't automatically permit a process to use any other right on the system -- each right needs authorization.

It's actually quite a good system, and has been very well thought out. It does, of course, rely on some vigilence by the end user -- if they're entering their password anytime it's being requested without quickly checking to see what is making the request and why, obviously they're going to get into trouble.

Then again, if I e-mail a bunch of Linux admins and ask them for their passwords, and they send them to me, you wind up with the same end result.

Yaz.

Password length related...

[cft_128]

I blinked, told myself I was having a very bad dream, and logged off. When I logged back in, everything was fine and I breathed a huge sigh of relief! I guess I was one of the "lucky" ones. I keep using it and I haven't had any more issues... yet.

I've had both problems happen (the bad and the recoverable), the bad one has not happened since I updated to 10.3.1. For the recoverable with a re-login one, near as I can tell this comes from some legacy 8 character password weirdness. As this post [macosxhints.com] indicates, if you have upgraded your computer from jaguar to panther you will only need 8 characters of your password to be correct to log in. What I have noticed is that is FileVault does not have the 8 char limit and needs *all* of the characters in your password to be correct. This causes some weirdness if you have a 12 character password and have a typo in the 10th character: you will be logged in but not see any of your data. The really stupid thing is there is no error message displayed*.

Having said that, I haven't had the problem crop up in a while so they might have fixed it.

*Sort of: if you do not have FileVault on, your keychain will choke and ask for your password again.

Re:What about...

[Carnildo]

That part was not mentioned. However, it is not a good practice to do much of anything as an administrator, so I have to wonder if this is of any use, anyhow.

On MacOSX, running as an administrator is not the same as running as "root". On MacOSX, running as an "administrator" is more-or-less equivalent to having "sudo" privileges on a Unix box: entering your password in a security box permits you to do certain administrator-type operations for a limited period.

Re:Guide for Linux?

[Anonymous Coward]

They actually have their own distribution [nsa.gov].