ITS Systems will perform regular monthly maintenance on the MySQL CAT1 and non-CAT1 environments on Wednesday, June 18, 2014 from 6:30 AM to 8:30 AM. The University Wikis Service is dependent on the MySQL CAT1 database and may be unavailable for up to 15 minutes during this 2 hour time frame.
Skip to end of metadata
Go to start of metadata

The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS lists down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.

How to use the checklist

Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Information Security Office uses this checklist during risk assessments as part of the process to verify that servers are secure.

How to read the checklist

Step - The step number in the procedure. If there is a UT Note for this step, the note number corresponds to the step number.
Check (√) - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
CIS - Reference number in the Center for Internet Security Mac OS X Benchmark (PDF, Requires UT EID login.) The CIS document outlines in much greater detail how to complete each step.
UT Note - The notes at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include category I data, required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include category II or III data, all steps are recommended, and some are required (denoted by the !).
Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.

Server Information

MAC Address

 

IP Address

                                                                                                        

Machine Name

 

Asset Tag

 

Administrator Name

 

Date

 


Step

To Do

CIS

UT Note

Cat I

Cat II/III

Min Std

 

 

Installation and core Mac OS X

 

 

 

 

 

1

 

If machine is a new install, protect it from hostile network traffic until the operating system is installed and hardened.

2.1.2

§

!

 

5.1

2

 

Enable Open Firmware Password.

2.2.1

§

!

 

4.1

3

 

Enable automatic notification of new patches and patch if necessary.

n/a

§

!

 

5.3

4

 

Time synchronization/configure an NTP server.

2.4.5.1

§

!

 

n/a

5

 

Enable logging/process accounting.

n/a

§

!

 

6.1

6

 

Create complex passwords for administrator accounts

2.1.7

§

!

 

5.13

7

 

Disable core dumps

2.2.8

§

 

 

n/a


 

System Services

 

 

 

 

 

8

 

If services are running - ensure the university warning banner is utilized.

2.2.2, 2.2.3

§

!

 

5.10

9

 

Services, applications, and user accounts that are not being utilized should be disabled or uninstalled.

2.3, 2.4.14, 2.4.14.14

§

!

 

5.4

10

 

Limit connections to services running on the host to authorized users of the service (utilize firewall technology).

2.4.13.9

§

!

 

5.5

11

 

Use an outbound network firewall

2.6.2

§

 

 

n/a

12

 

Secure Bonjour

2.6.1

§

 

 

 

 

 

Account Configuration

 

 

 

 

 

13

 

Create an administrator account and a standard account for each administrator

2.3.1

§

 

 

5.14

14

 

Disable automatic login

2.4.2.2

§

!

 

 

15

 

Set a strong password policy

2.3.8

§

!

 

5.13

16

 

Secure home folders

2.5.2

§

!

 

5.12

17

 

Securely erase files in the Finder

2.5.4

§

 

 

n/a

18

 

Prevent Spotlight from searching confidential folders and backup volumes

2.4.18.1, 2.4.18.2

§

 

 

5.12

19

 

Use secure virtual memory

2.4.13.5

§

!

 

57

 

 

Additional Steps

 

 

 

 

 

20

 

Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.

n/a

§

!

 

5.9

21

 

Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate.

2.5.2, 2.5.3

§

!

 

5.7

22

 

Services or applications running on systems manipulating Category I data should implement secure (that is, encrypted) communications to ensure Category I data does not traverse the Internet in clear text.

n/a

§

!

 

5.6

23

 

If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this.

n/a

§

!

 

5.8

24

 

Install and enable anti-virus software.

n/a

§

!

 

3.1

25

 

Configure anti-virus software to update at least once a day.

n/a

§

!

 

3.3

26

 

Use Firefox with the NoScript extension to protect from browser based spyware and malware

n/a

§

 

 

 

27

 

Configure a screen-saver to lock the console's screen automatically if left unattended

2.4.13.1

§

 

 

 

28

 

Set a short inactivity interval for the screen saver

2.4.6.1

§

 

 

 

UT Note: Addendum

This list provides specific tasks related to the computing environment at The University of Texas at Austin.

1

If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected.

2

Enable Open Firmware password appropriate for your OS version:

  • For Mac OS X 10.1 to 10.3.9, download the Open Firmware Password Application.
  • For Mac OS X 10.4 or later, you must use the updated version that can be copied from the software installation disc (located at /Applications/Utilities/ on the disc).

3

Verify software update is set:

  1. Open System Preferences and click Software Updates.
  2. Click Check for Updates and set the interval to Weekly or Daily.
    * If you have Microsoft Office installed, launch /Applications/Microsoft AutoUpdate.app, click Automatically and set the interval to Weekly or Daily.
    * If you have other applications that provide security updates, such as Adobe products or web browsers, configure them to update Weekly or Daily too.

4

ITS Telecommunications and Networking operates two stratum 2 NTPv4 (NTP version 4) servers for network time synchronization services for university network administrators.

5

Turn on process accounting:

6

The Information Resources Use and Security Policy (UTS-165), section 18, lists the requirements for passwords.

7

Note that this may not be desirable on development machines as it may make troubleshooting application and operating system crashes more difficult.

Run the following command from a Terminal window:

8

The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included.
To add the warning information to the message of the day file, edit /etc/motd and paste the text from the university's warning banner in this file.To change the banners for GUI login, refer to the CIS document. The procedure is fully described there.

9

The list of available services can be found in System Preferences under the Services tab of the Sharing icon. Be especially wary of sharing services; misconfiguring this setting could grant full access to important files or system resources. Much more detailed information regarding services is available in the CIS benchmark documents.  For example, SSH/Remote Login is on by default out-of-the-box. Unless it is being utilized, turn it off in 'sharing system preferences.'

The freeware application Lingon may also be of use to identify and remove applications and services that run at startup. Lingon is a graphical interface for editing launchd configuration files.

10

Administrators may find the firewall native to Mac OS X, ipfw, robust and easily managed.  There are several applications, such as WaterRoof, which provide a GUI to ipfw.

Leopard introduced a new application based firewall intended to replace ipfw. This firewall is simple to configure but has few options and can be trivially bypassed. While the application firewall should be adequate for most desktop users, servers and workstations with a high need for security should be configured to use ipfw instead.

You may also want to refer to the list of Mac OS X network service ports from Apple KB 106439.

NOTE: OS X Panther has known bugs with its implementation of ipfw. It is strongly recommended to review the details of the related bug or use a more recent version of OS  X.

11

The included firewall, ipfw, can be configured to do this. Additionally, there are commercial products, namely Little Snitch, that act as outbound application firewalls.

12

Bonjour is an auto-discovery mechanism for TCP/IP devices. An attacker could use Bonjour's multicast DNS feature to discover a vulnerable or poorly-configured service.

To turn off Bonjour:

  • For 10.6 and above, follow the steps listed at http://support.apple.com/kb/HT3789, which are also copied below:

    1. Make a back up copy of the mDNSResponder.plist file as a precaution.
    2. Open the mDNSResponder.plist file in Terminal using a text editor, as shown:
    3. Add "<string>-NoMulticastAdvertisements</string>" to the array in the "ProgramArguments" section.
    4. Save the file.

  • For 10.5 and below, run this shell command in Terminal:
    Note that some applications, like Final Cut Studio and AirPort Base Station management, may not operate properly if the mDNSResponder is turned off.

13

This section intentionally left blank.

14

In System Preferences: Accounts, Login Options, disable Automatic Login. Automatic login can also be disabled in System Preferences: Security.

Alternatively, run the following command:

15

The Information Resources Use and Security Policy (UTS-165), section 18, lists the requirements for passwords. If possible, use pwpolicy or a centrally managed password policy on a Mac OS X Server to enforce these requirements.

16

By default, every user is allowed to see into the top level of other home folders so that files can be placed into the "Drop Box" folders of any user.
To resolve, open a Terminal window and enter:


Where <username> is the name of each user. This command has to be run for each user with a local home folder.

17

If files containing sensitive data are frequently deleted from this machine, set finder to automatically use the secure delete option. (Finder: Preferences: Advanced, and check "Empty Trash Securely")

This command line tool "srm" is also available as an alternative to "rm".

Note that secure deletion of files can take significantly longer than a normal delete operation.

18

Spotlight is a built in service that, by default, indexes every file on any local hard drive and allows the contents to the indexed files and folders to be searched. While spotlight enforces access controls to limit access to files, the index itself may contain sensitive information about the files. The Spotlight System Preference Pane allows a user to exclude volume, folders, and data types from being indexed.

In System Preferences: Spotlight, Search Results tab turn off any categories that should not be indexed.

In System Preferences: Spotlight, Privacy tab add any volumes or folders that contain sensitive data.

Alternatively you can disable spotlight from indexing and search specific volumes with the following command:

19

In System Preferences: Security, General tab, check "Use secure virtual memory."

Alternatively, run the following command:


A reboot is required for this change to take effect.

20

BSD Files
Check in /groups/admin to see who has admin privileges.
Check in /etc/passwd to look for blank passwords.

OpenDirectory
Use the dscl command

Users
List all users with the nireport utility:

Groups
To list all of the groups IDs (GIDs) and group names for the local domain, use the nireport utility:

Passwords
Utilize pwpolicy to set global, or per user, password policies. Using pwpolicy, one can set expiry date, require alpha or numeric characters, set max failed login counter, and password length, among others.  Check the strength of users' passwords with tools such as John the Ripper after seeking approval from the IT Owner.  When using John, consider using a simple dictionary for easily guessed passwords.

Develop a procedure to report and remediate easily guessed passwords.

21

There are a variety of methods available to accomplish this goal.

Mac OS X comes with FileVault. NOTE: FileVault works with local home directories only, not home directories on the server or any other kind of data. Instead, REALLY important data could be secured by putting it in encrypted disk images (which FileVault does), but this will be neither automatic nor transparent to the user.

Some other good candidates are PGP (cost), GNUPG (free), and Truecrypt (free). None of these options provide whole-disk encryption for Mac OS X.

Whole-disk encryption for Mac OS X is available through the WinMagic SecureDoc service provided by ITS. SecureDoc can also be used to encrypt USB or Firewire connected external drives, such as those used for Time Machine backups.

We strongly recommend that, if encryption is being used in conjunction with Category I data, one of the solutions listed in the Approved Encryption Methods (EID required) be implemented.

22

If you decide to use Remote Login (SSH server), the ISO highly recommends that you change the port from port 22 to something/anything else. There are scripts online that malicious hackers can use against SSH servers and the scripts always attack port 22 since most people do not change the default port.

The ISO also highly recommends that you do not allow root logins via Remote Login (SSH).

23

Available tools include:

24

Download and install ClamXav from BevoWare (at no additional cost) or http://www.clamxav.com/. Documentation can be found on the ITS Web site. ClamXav may impact a production OS X server's performance and may not be deemed essential to ensuring security of the system or the network. In this case, daily or weekly scheduled scans may be adequate.

25

This section intentionally left blank.

26

It is by far preferable to not browse the web from servers at all. However, if this unwise activity must be permitted, we recommend you use Firefox with the NoScript and AdBlock Plus (with a subscription to an actively maintained filter list) extensions to protect from spyware, malware, and drive-by-downloads as much as possible. It is important to be aware of the fact that even well-known, trusted sites can be compromised and used to serve malware.

27

In System Preferences: Security, General tab, check "Require a password to wake the computer from sleep or screen saver."

Alternatively, run the following command:


The current user will need to log off and on for changes to take effect.

28

In System Preferences: Desktop & Screen Saver, Screen Saver Tab, make sure the Start screen saver slider is set to a value no higher than 30 minutes.

Alternatively, run the following command:


Substitute the number of idle seconds until the screen saver starts for [X]. A logout of the user may be required for the new settings to take effect.

Reference

Copyright © 2001-2011 Information Technology Services. All rights reserved.

  • No labels