Transcription
Apple SecurityChecklist Companion2nd EditionA practical guide for automating security standardsin the Apple Enterprise with the Casper SuiteSeptember 2009
JAMF Software, LLC 2009 JAMF Software, LLC. All Rights Reserved.JAMF Software has made all efforts to ensure that this guide isaccurate.JAMF Software1011 Washington Ave SouthSuite 350Minneapolis, MN 55415(612) 605-6625JAMF Software, the JAMF Software logo, the Casper Suite, CasperAdmin, Casper Imaging, Casper Remote, Casper VNC, Composer, theJAMF Software Server (JSS), JSS Mobile, JSS Set Up Utility, JAMFVNC,Recon and Recon for PC are all trademarks of JAMF Software, LLCregistered in the US.Apple, the Apple logo, AirPort, AppleScript, AppleShare, AppleTalk,Bonjour, Boot Camp, ColorSync, Exposé, FileVault, FireWire, iCal, iChat,iMac, iSight, iTunes, Keychain, Leopard, Mac, Mac Book, Macintosh,Mac OS,QuickTime, Safari, Xgrid, Xsan, and Xserve are trademarks ofApple Inc., registered in the U.S. and other countries.
ContentsIntroduction44456Target AudienceHow to use this guideAcknowledgementsRegulatory Compliance FrameworksUseful Links on Security ConcernASC Guide789101113141516Installing Mac OS XProtecting System HardwareSecuring Global System SettingsSecuring AccountsSecuring System PreferencesSecuring Data Using EncryptionInformation Assurance with ApplicationsInformation Assurance with ServicesAdvanced Security ManagementAppendix A17192223242830Meeting Sarbanes-Oxley ObjectivesRole Based Administrator AccessSoftware RestrictionCasperVNC SecurityChange Local Administrator Account PasswordEnforce Screen Saver SettingsProtocol Security3
IntroductionTarget AudienceThe Apple Security Checklist Companion (ASCC) is intended for ITpractitioners engaged in governance, compliance and security relatedto Macintosh OS X computers.How to Use This GuideThe ASCC is a companion document to be used in conjunction withMac OS X Security Configuration Guide For Version 10.5 Leopard (v.2)published in January of 2009. Please download a copy from the linkfound below and become familiar with the security guidelines set forthby Apple with contributions made by the NSA, NIST and DISA.Using Apple’s guidelines as the authoritative source for securitystandards on Mac OS X, the ASCC provides you with an index of how toautomate compliance with these standards using the Casper Suite.AcknowledgementsJAMF Software would like to thank Apple Computer for not onlypublishing the security guide, but for the guidance they have providedregarding security on the platform. Additionally, we’d like to thankthe security experts from our customer community for the insightsthat they have lent us as we have grown our understanding in thisincreasingly critical area for the Mac OS.4
Regulatory Compliance FrameworksThe increased need for security automation is driven by organizationslooking to provide a more secure computing environment as well asbeing driven by regulatory mandates.For government institutions, the current iteration of the FederalDesktop Core Configuration (FDCC) does not include Mac OScomputers. For those in the public sector, Sarbanes-Oxleyrequirements are not clearly articulated for Apple hardware, leavingthe responsible system administrator at a loss for how to complyspecifically when administering Apple hardware.This companion document follows the Apple guide in providinga “How to automate.” the What and the Why provided by Apple.As standards continue to emerge, this document will be updatedto reflect the evolving landscape of security on Mac OS platform.Appendix A looks more in depth at Sarbanes-Oxley controls andsupercedes the document titled “Security and Casper.”5
Useful Links onSecurity ConcernsMac OS X Security Configuration /Mac OS X v10.5 (Leopard)Mac OS X Security Configuration Guide *Mac OS X Server Security Configuration GuideMac OS X v10.4 (Tiger)Mac OS X Security Configuration GuideMac OS X Server Security Configuration GuideMac OS X v10.3 (Panther)Client Security Configuration GuideServer Security Configuration Guide* There are additional links found within each of these guides. Asa matter of practicality, this document is based on the Mac OS Xv10.5 (Leopard) security guide and the links found on pages 16 and17 provide a wealth of information from Apple and US Governmentagencies and should be pursued as part of any inquiry into securingMac OS client machines.6
Installing Mac OS XFor hardening security on Mac OS X systems and maintaining thesecurity Apple provides the Mac OS X Security Configuration guide asa source of instructions and recommendations. By using The CasperSuite your chosen security configuration can be implemented andmaintained throughout the life cycle of your managed Macs. Thisdocument, which is based off of the Apple Security Checklist (ASC) thatis included in the Mac OS X Security Configuration guide, details thedeployable objects and the Casper Suite deployment mechanisms thatcan be used to implement Apple’s recommended security actions.Installation Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismSecurely erase the Mac OS X partitionbefore installation29ScriptCasper ImagingInstall Mac OS X using Mac OSExtended disk formatting20OS ImageCasper ImagingDo not install unnecessary packages30OS ImageCasper ImagingDo not transfer confidentialinformation in Setup Assistant32OS ImageCasper ImagingDo not connect to the Internet31OS Image, Stand AloneJSSCasper Imaging and JSS on aFireWire driveCreate administrator accounts withdifficult-to-guess names33Script, DMGCasper Imaging, Casper Remote,PolicyCreate complex passwords foradministrator accounts33N/AAll Casper Suite products havesupport for complex passwords.Do not enter a password-relatedhint; instead, enter help desk contactinformation33Script, ManagedPreferenceCasper Remote, PolicyEnter correct time settings33,91Script, DMGCasper Imaging, Casper Remote,PolicyUse an internal Software Updateserver34Setting, ManagedPreferenceJSSUpdate system software usingverified packages37Software UpdateServer PKG, DMG HTTPDownloadsCasper Imaging, Casper Remote,PolicyRepair disk permissions afterinstalling software or softwareupdates37SettingCasper Imaging, Casper Remote,Policy7
Protecting System HardwareWhen hardening Mac OS X desktop systems after installation, protectyour system hardware with the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Hardware Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismRestrict access to rooms that havecomputersN/AN/AN/AStore computers in locked or securecontainers when not in useN/AN/AN/ADisable Wi-Fi Support Software43Script-CompleteRemoval, ManagedPreference-DisableOnlyCasper Imaging, Casper Remote,Policy, Resource KitDisable Bluetooth Support Software44Script-CompleteRemoval, ManagedPreference-DisableOnlyCasper Imaging, Casper Remote,Policy, Resource KitDisable Audio Recording SupportSoftware46ScriptCasper Imaging, Casper Remote,PolicyDisable Video Recording SupportSoftware47ScriptCasper Imaging, Casper Remote,PolicyDisable USB Support Software48ScriptCasper Imaging, Casper Remote,Policy, Resource KitDisable FireWire Support Software49ScriptCasper Imaging, Casper Remote,Policy8
Securing Global SystemSettingsWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Global System Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismRequire an Open Firmware or EFIpassword55DMG, OS Image, ScriptCasper Imaging, Casper Remote,PolicyCreate an access warning for thelogin window57DMG, OS Image, Script,*Managed PreferenceCasper Imaging, Casper Remote,PolicyCreate an access warning for thecommand line59DMG, OS Image, ScriptCasper Imaging, Casper Remote,Policy9
Securing AccountsWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Account Configuration Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismCreate an administrator accountand a standard account for eachadministrator61JSS Setting, QuickAdd,ScriptCasper Imaging, Casper RemoteCreate a standard or managedaccount for each nonadministrator64QuickAdd, ScriptCasper Imaging, Casper Remote,PolicySet parental controls for managedaccounts64Script, DMG, ManagedPreferenceCasper Imaging, Casper Remote,PolicyRestrict sudo users to access requiredcommands69Script, DMGCasper Imaging, Casper Remote,PolicySecurely configure LDAPv3 access72Script, DMGCasper Imaging, Casper Remote,PolicySecurely configure Active Directoryaccess72Script, DMGCasper Imaging, Casper Remote,PolicyUse Password Assistant to generatecomplex passwords73SettingCasper Remote, PolicyAuthenticate using a smart card,token, or biometric device75,76DMGCasper Imaging, Casper Remote,PolicySet a strong password policy77Script, Unix CommandCasper Imaging, Casper Remote,PolicySecure the login keychain78Script, Unix CommandCasper Imaging, Casper Remote,PolicySecure keychain items80Script, Unix CommandCasper Imaging, Casper Remote,PolicyCreate keychains for specializedpurposes79Script, Unix CommandCasper Imaging, Casper Remote,PolicyUse a portable drive to storekeychains82DMGCasper Imaging, Casper Remote,Policy10
Securing System PreferencesWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.System Preferences Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismLog in with administrator privileges86Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicyEnable MobileMe only for useraccounts without access to criticaldata87Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure MobileMepreferences87Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Accountspreferences89Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Appearancepreferences92Script, DMG, ManagedPreferenceCasper Imaging, Casper Remote,PolicyChange the number of recent itemsdisplayed93Script, DMG, ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurely configure Bluetoothpreferences94Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure CD & DVDpreferences95Script, DMG,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Date & Timepreferences96ScriptCasper Imaging, Casper Remote,PolicySecurely configure Desktop & ScreenSaver preferences97Script, UserEnvironment Package,*Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Displaypreferences99Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurely configure Dock preferences99Script, UserEnvironment Package,Unix Command,Managed PreferenceCasper Imaging, Casper Remote,PolicySecurely configure Energy Saverpreferences100Script, Resource Kit,Managed PreferenceCasper Imaging, Casper Remote,PolicyConfigure Exposé & SpacesPreferences102Script, Unix CommandCasper Imaging, Casper Remote,PolicySecurely configure Keyboard &Mouse preferences103Script, Unix Command,Managed PreferenceCasper Imaging, Casper Remote,Policy11
System Preferences Action Items Cont.Action ItemASCPageDeployable ObjectDeployment MechanismSecurely configure Networkpreferences105Script, UserEnvironment Package,Unix CommandCasper Imaging, Casper Remote,PolicySecurely configure Parental Controlpreferences106DMG, ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurity configure Print & Faxpreferences109Script, UserEnvironment PackageCasper Imaging, Casper Remote,PolicySecurely configure QuickTimepreferences111DMGCasper Imaging, Casper Remote,PolicySecurely configure Securitypreferences112Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurely configure Sharingpreferences117Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurely configure Software Updatepreferences119Script, Policy,JSS Setting, UserEnvironment Package,Unix CommandCasper Imaging, Casper Remote,Policy, JSS SettingSecurely configure Soundpreferences120Script, UserEnvironment PackageCasper Imaging, Casper Remote,PolicySecurely configure Speechpreferences121Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicySecurely configure Spotlightpreferences123Script, Unix CommandCasper Imaging, Casper Remote,PolicySecurely configure Startup Diskpreferences125Script, Unix CommandCasper Imaging, Casper Remote,PolicySecurely configure Time Machinepreferences126Script, Unix Command,*Managed PreferenceCasper Imaging, Casper Remote,Policy12
Securing Data UsingEncryptionWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Encryption (DAR) Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismAssign POSIX access permissionsbased on user categories132Script, Unix Command,Composer SettingCasper Imaging, Casper Remote,PolicyReview and modify folder flags132Script, Unix Command,Composer SettingCasper Imaging, Casper Remote,PolicyRestrict permissions on User HomeFolders133Script, Unix CommandCasper Imaging, Casper Remote,Policy134Script, Unix Command,Composer SettingCasper Imaging, Casper Remote,PolicyAction ItemASCPageDeployable ObjectDeployment MechanismSecurely encrypt and backup yourdata156Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicyStrip setuid bits from some programsBackup Action Items13
Information Assurancewith ApplicationsWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Application Configuration Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismConfigure Mail using SSL158Script, *ManagedPreferenceCasper Imaging, Casper Remote,PolicyVerify certificate validity162ScriptCasper Imaging, Casper Remote,PolicyRequest MobileMe identity certificate170ScriptCasper Imaging, Casper Remote,PolicySecure iChat communications168Script, *ManagedPreferenceCasper Imaging, Casper Remote,PolicyCreate a strong password for iTunes171N/AN/ASecure remote access using VPN172DMG, Script,*Managed PreferenceCasper Imaging, Casper Remote,PolicyTurn firewall protection on174Script, Resource Kit,Managed PreferenceCasper Imaging, Casper Remote,Policy14
Information Assurancewith ServicesWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Services Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismLimit the list of administratorsallowed to use sudo167OS Image, DMGCasper Imaging, Casper Remote,PolicyDisable Bonjour185ScriptCasper Imaging, Casper Remote,PolicySecure BTMM access throughSecurity Preferences188Script, UserEnvironment Package,Managed PreferenceCasper Imaging, Casper Remote,PolicySet up screen sharing through VNCwith password protection190Script, DMGCasper Imaging, Casper Remote,PolicyEstablish key-based SSH connections195ScriptCasper Imaging, Casper Remote,PolicyCreate an SSH secure tunnel199ScriptCasper Imaging, Casper Remote,PolicyConfigure ARD to manage remotetasks203Script, Built In FeatureCasper Imaging, Casper Remote,Policy15
Advanced SecurityManagementWhen hardening Mac OS X desktop systems during installation,initialization or updating, reference the following:Action Items from ASC Page are managed by a Deployable Objectusing the appropriate Deployment Mechanism.Advance Management Action ItemsAction ItemASCPageDeployable ObjectDeployment MechanismCreate an authorization right to thedictionary to authorize users212Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicyCreate a digital signature216ScriptCasper Imaging, Casper Remote,PolicyEnable security auditing221ScriptCasper Imaging, Casper Remote,PolicyConfigure security auditing222ScriptCasper Imaging, Casper Remote,PolicyGenerate auditing reports222ScriptCasper Imaging, Casper Remote,PolicyEnable local logging219Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicyEnable remote logging220Script, ManagedPreferenceCasper Imaging, Casper Remote,PolicyInstall a file integrity checking tool216DMGCasper Imaging, Casper Remote,PolicyCreate a baseline configuration forfile integrity checking216OS ImageN/AInstall an antivirus tool222DMGCasper Imaging, Casper Remote,PolicyConfigure the antivirus tool toautomatically download virusdefinition files222DMG, ManagedPreferenceCasper Imaging, Casper Remote,Policy*Available as a template in the JSS16
Appendix A - MeetingSarbanes-Oxley ObjectivesThere are seven Control Objectives that relate to desktop managementunder Sarbanes-Oxley requirements that are met through the CasperSuite.They are: Grant the appropriate level of access in order to provideadministrators functionality appropriate to their role. Log the actions of each individual administrator. Ensure that no illegal or unauthorized software can be run oncorporate assets by excluding applications from execution. Allow remote administrators to observe or control a computer in away that is secure and audited. Rapidly change access credentials for remote computers Ensure that desktop screen savers activate after a set amount oftime and require a password to unlock. Ensure that data transmission is encrypted.17
Appendix A - MeetingSarbanes-Oxley ObjectivesWhile most system administrators governed by Sarbanes-Oxley arefluent in the terminology of the framework, a brief explanation ofcontrols is provided below.Automated Controls are performed by computers and are binaryin nature; they always function as designed and are not subject tointermittent error or human intervention.Access Controls define the appropriate access for different users andgrant them rights and privileges to sensitive information.Control Objectives define the desired state and are used to measurethe success or failure of a policy or procedure.Corrective Controls are aimed at restoring the system to its expectedstate.Detective Controls detect when an unwanted event occurs as aresult of human factors as well as en vironmental and security issues;we need detective controls to alert us when an unwanted eventtranspires.Preventative Controls are aimed at avoiding unwanted situations.18
Role Based AdministratorAccessControl Objectives Grant the appropriate level of access in order to provideadministrators functionality appropriate to their role. Log the actions of each individual administrator.Within the Casper Suite, individuals can be added to the system toperform the tasks for which they are responsible (see fig. 1).fig. 119
Role Based AdministratorAccessThese users can be added viaLDAP and assigned appropriateprivileges (see fig. 2).Grant All PrivilegesRevoke All PrivilegesJSS - Home Tab PrivilegesChange PasswordJSS - Inventory Tab PrivilegesView Inventory TabPerform Advanced SearchesSave Advanced SearchesView Saved SearchesManage Inventory PreferencesManage Peripheral TypesManage Removable MAC AddressManage Custom ReportsManage Saved SearchesManage Licensed SoftwareManage Supressed Inventory ItemsRecon PrivilegesAdd Computers ManuallyAdd HardwareView Details on Inventory ItemsAdd Computers RemotelyView License Serial NumbersQuickAdd PackagesDownload Files Attached to Inventory ItemsView Computer LogsCasper Admin PrivilegesEdit I
Desktop Core Configuration (FDCC) does not include Mac OS computers. For those in the public sector, Sarbanes-Oxley . Casper Remote, Policy Securely configure Desktop & Screen Saver preferences 97 Script, User Environment Package, *Managed Preferen
