Mac OS

The access control mechanisms of the system may be further secured by granting administrative rights to only specific users. For each administrative user, there should be two user accounts, one to perform normal user operations, and the other to perform administrative functions. For example, if the user James is a designated administrator he should have a standard system account “james” with no special privileges and an administrative account “admin_james” with administrator rights. This provides accountability where there is more than one administrator on a system. The administrative users should be restricted from logging in to the system from network services using their administrative accounts. This further reduces the risk of the authentication credentials being compromised. To restrict remote access, the configuration of each network service will have to be altered

Viruses, trojans and other malware are relatively uncommon on the Mac OS X platform, and as a result currently present a far lower risk than on Windows systems. However, it should be highlighted that their relative absence does not mean that the operating system itself is immune from malware, only that the current combination of a low OS X install base together with the operating system’s security features, make the Mac OS X platform more unattractive than other platforms from a virus writer’s perspective. In some organisations, security policies may mandate the use of anti-virus solutions for all desktop systems, regardless of the relative absence of viruses that specifically target Mac OS X. This could help prevent a Mac OS X system from acting as a virus transmission agent in a heterogeneous computing environment. Mac OS X Server ships with the popular and free (GPL) ClamAV (clamav.net) anti-virus software for Unix. This is a command line application that is best suited to a server environment, but can also be used on the desktop. An easy to use GUI application that uses the ClamAV scanning engine is available from www.clamxav.com which may be more useful to the majority of Mac OS X desktop users. A number of well-known commercial anti-virus vendors now ship versions of their products for Mac.

By default all networking services are disabled, which provides less opportunities for remote attackers. Enabling network services (SSH, Personal Web Sharing, FTP etc.) allows users some form of remote access to the system and should only be permitted if there is an explicit requirement for it. Tiger uses a new daemon management framework to handle system and daemon start up and control in the form of ‘launchd’. Launchd incorporates the functionality of inetd, init, mach_init and SystemStarter and promises to simplify the management of daemons on Mac OS X. In the current version (10.4), either launchd or xinetd are used to control network services, depending on the installation method chosen. The xinetd daemon is started by launchd.

If there are existing xinetd configuration files in the /etc/xinetd.d directory, then xinetd is used to start these services. However, if the configuration files are not present, then launchd is used to start the services, as configured in the /System/Library/LaunchDaemons directory. This can result in inconsistencies between systems, since systems that were upgraded from Panther will use xinetd to control network services, while systems that were cleanly installed will use launchd to control network services. Since launchd was designed as a general daemon management system, it does not offer as many security features for network services as xinetd does; such as IP based access control and limiting connections. If these security services are required then launchd can either be used together with TCP wrappers or xinetd can be used to handle network services.