Monday, September 17, 2012

Hardening Mountain Lion

After spending some time installing Mountain Lion (OS X 10.8), from scratch rather than over my old Lion installation, the usual question arises: How to harden it?

Of course, I can't find my notes from hardening Lion back in the days. I guess I'll use the blog as an excuse to keep notes this time. Feel free to use my notes and reasoning as an inspiration or motivation, but keep in mind that everybody's risk profile differs. I may prefer paranoid settings over convenience and you don't, or vice versa.

Also, most certainly, my considerations below are incomplete. And for the most part, I'm assuming a single user (myself) and don't bother too much with defining password policies, etc.

The Obvious

There are some obvious security settings - those that you can find by clicking through the System Preferences options. Here are my thoughts on those:
  • Users & Groups
    • I set passwords for my users. I also use a non-admin user for my daily work. The OS X elevation mechanism seems to work just fine for installing software, etc., although non-admin users are not in /etc/sudoers by default. So I create a separate user that has "Allow user to administer this computer" enabled, and disable it from the one that I use on a daily basis. Or the other way around.
    • Strangely, it seems like the guest user came enabled by default. Disable it.
    • "Set Master Password" for encryption under Preferences (the little wheel below the user list). Probably not a bad idea if you are prone to forgetting your account passwords. Now you have one more to forget. ;-)
  • Desktop & Screen Saver
    • Mine starts after 20 minutes.
  • CDs & DVDs
    • I usually ignore them.
  • Bluetooth
    • Uncheck "Discoverable". Turn it off if you don't use it.
  • Sharing
    • I don't enable any sharing unless I specifically want to use it for something.
  • Software Update
    • Automatically check for updates.
  • Security and Privacy
    • General
      • "Allow applications downloaded from:" - This pertains to Apple's Gatekeeper functionality. Of course, there's (still) software out there I'd like to use that hasn't been officially signed, so I ended up choosing "Anywhere". But I am usually pretty aware of what I'm installing and where it comes from, and don't have other users using the laptop.
    • FileVault
      • I don't see a reason not to use this. Maybe a little performance hit? Ah well.
    • Firewall
      • Enable it. "Block all incoming connections" is always a tough call when you use the system in a hostile environment. I leave it unchecked, most of the time, and check the list of applications that have been added with individual settings every now and then.
      • Disable "Automatically allow signed software to receive incoming connections".
      • Check "Enable stealth mode".
    • Privacy
      • Personal preference, I suppose.
    • Advanced… (the button on the bottom)
      • I let it "Automatically update safe downloads list" and "Disable remote control infrared receivers" (don't have any). 

Existing hardening guidelines

It's a little early to expect that anybody has analyzed Mountain Lion to the extent that they can publish a comprehensive hardening guide. Apple has not published Security Configuration Guides or Common Criteria guidance material since Snow Leopard. Sadly, since they used to be well-written and useful. So, let's see what we can scavenge from the Snow Leopard Security Configuration Guide:
  • Setting an EFI (Extensible Firmware Interface) password to prevent unauthorized booting into single-user mode
  • you can use 'sudo visudo' to add non-admin accounts to /etc/sudoers (like the unprivileged one you are using for daily work)
  • pwpolicy lets you define a password policy
  • stripping suid bits from executables (pg. 151 ff.), I did it for the following (if anybody has taken the time to investigate what Apple has added since Snow Leopard that might be worthy of disabling, let me know :)):
    • /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
    • /bin/rcp
  • chmod 700 for users' home folders (supposedly breaks Apple file sharing and web sharing?)
  • block Bonjour advertisements, and use ipfw to block incoming Bonjour traffic
The University of Texas also has a nice compilation of useful tips: https://wikis.utexas.edu/display/ISO/Mac+OS+X+Server+Hardening+Checklist

Other things

I use a virus scanner, always have. I don't believe in the immunity of OS X from malware. I use eset.

OpenDNS is also a great idea.

Safari has additional security and privacy settings to consider, if you use it.

To-Do's

It might be worthwhile to reason about ipfw rules to further tighten down the OS X firewall. The Snow Leopard Security Configuration Guide contains instructions on how to do that. Similarly, going through the list of daemons and user agents on the system and determining which ones could be disabled should be interesting.