Apple Mac OS X Panther Guide d'installation

UNCLASSIFIED UNCLASSIFIED Report Number:I331-009R-2004 Apple Mac OS X v10.3.x “Panther” Security Configuration Guide Guide Version 1.1 Systems

UNCLASSIFIED UNCLASSIFIED x Table of Contents This Page Intentionally Left Blank

UNCLASSIFIED UNCLASSIFIED 88Chapter 6 – Future Guidance This Page Intentionally Left Blank

UNCLASSIFIEDAppendix A - Encrypting Files and Folders Appendix A Encrypting Files and Folders As described earlier, Mac OS X’s FileVault feature c

UNCLASSIFIED UNCLASSIFIED 90Appendix A – Encrypting Files and Folders 1. Open Disk Utility, located in /Applications/Utilities, and make sure not

UNCLASSIFIED Appendix A - Encrypting Files and Folders Figure 38: Disk Utility Save Panel 4. Choose the size of the disk image from the Size pop

UNCLASSIFIED UNCLASSIFIED 92Appendix A – Encrypting Files and Folders keychain is unlocked, the data will be transparently unencrypted if an attem

UNCLASSIFIED Appendix A - Encrypting Files and Folders Figure 41: Disk Utility Convert Image Panel 4. Select AES-128 (recommended) for Encryption

UNCLASSIFIED UNCLASSIFIED 94Appendix A – Encrypting Files and Folders This Page Intentionally Left Blank

UNCLASSIFIED Appendix B- References Appendix B References 1. Mac OS X Maximum Security; Ray, John, and Ray, Dr. William C.; Sams Publishing; 2003 2.

UNCLASSIFIED UNCLASSIFIED 96Appendix B – References This Page Intentionally Left Blank

UNCLASSIFIED Appendix C- Additional Resources Appendix C Additional Resources The following are additional resources that may be helpful to readers o

UNCLASSIFIED UNCLASSIFIED xi Introduction Introduction The purpose of this guide is to provide an overview of Mac OS X v10.3.x “Panther” operating sy

UNCLASSIFIED UNCLASSIFIED xii Introduction About this Guide This document consists of six chapters and two appendices: Chapter 1, “Scope of Guidanc

UNCLASSIFIED Chapter 1 UNCLASSIFIED 1Chapter 1 - Scope of Guidance Scope of Guidance Apple’s Mac OS X operating system is very versatile, and can b

UNCLASSIFIED UNCLASSIFIED 2Chapter 1 – Scope of Guidance user. This method is labor-intensive for the system administrator, so the most appropria

UNCLASSIFIED UNCLASSIFIED 3Chapter 2 - Intro to Mac OS X Security Chapter 2 Introduction to Mac OS X Security Mac OS X v10.3.x (a.k.a. “Panther”)

UNCLASSIFIED UNCLASSIFIED 4Chapter 2 – Intro to Mac OS X Security from an administrator account login. This means there will be an audit log show

UNCLASSIFIED UNCLASSIFIED 5Chapter 2 - Intro to Mac OS X Security manage the multitude of credentials and certificates that a user must maintain. M

UNCLASSIFIED UNCLASSIFIED 6Chapter 2 – Intro to Mac OS X Security This Page Intentionally Left Blank

UNCLASSIFIED Chapter 3 UNCLASSIFIED 7Chapter 3 - Initial Installation Initial Installation Although secure configuration of an existing Mac OS X in

UNCLASSIFIED UNCLASSIFIED This Page Intentionally Left Blank

UNCLASSIFIED UNCLASSIFIED 8Chapter 3 – Initial Installation • Only user files and data should be saved and later restored; restoring system sett

UNCLASSIFIED UNCLASSIFIED 9Chapter 3 - Initial Installation Continue Through Installation Screens Any necessary partitioning of the hard drive can

UNCLASSIFIED UNCLASSIFIED 10Chapter 3 – Initial Installation 6. Click the Continue button when the Select a Destination screen re-appears.  Inst

UNCLASSIFIED UNCLASSIFIED 11Chapter 3 - Initial Installation iCal – Optional. iCal provides an electronic calendar, including some Internet conne

UNCLASSIFIED UNCLASSIFIED 12Chapter 3 – Initial Installation Initial System Configuration The next set of screens deals with configuring the just-

UNCLASSIFIED UNCLASSIFIED 13Chapter 3 - Initial Installation across the network when the machine is connected to one. Sensitive information should

UNCLASSIFIED UNCLASSIFIED 14Chapter 3 – Initial Installation  Get Internet Ready Note: This screen will only appear if the entry of registration

UNCLASSIFIED UNCLASSIFIED 15Chapter 3 - Initial Installation "Mac OS X Update 10.3.4" and security updates "Security Update 2004-05-

UNCLASSIFIED UNCLASSIFIED 16Chapter 3 – Initial Installation Figure 1: Apple’s Update Download Web Page Administrators should note that updates

UNCLASSIFIED UNCLASSIFIED 17Chapter 3 - Initial Installation being updated is loaded with Mac OS X v.10.3.2 or earlier. If any of the listed updat

UNCLASSIFIED UNCLASSIFIED iii Warnings Warnings  Do not attempt to implement any of the settings in this guide without first testing in a non-opera

UNCLASSIFIED UNCLASSIFIED 18Chapter 3 – Initial Installation 1. Place the CD with the 10.3.3 Update package in the CD-ROM drive. Mac OS v.10.3.3

UNCLASSIFIED 4. Follow the instructions of the Installer. UNCLASSIFIED 19Chapter 3 - Initial Installation 5. When the Installer has completed, cl

UNCLASSIFIED UNCLASSIFIED 20Chapter 3 – Initial Installation operating system, updates, and applications.

UNCLASSIFIED Chapter 4 UNCLASSIFIED 21Chapter 4- Configuring System Settings Configuring System Settings System configuration follows the installat

UNCLASSIFIED UNCLASSIFIED 22Chapter 4 – Configuring System Settings Removing Registration Information Mac OS X stores any registration information

UNCLASSIFIED UNCLASSIFIED 23Chapter 4- Configuring System Settings Figure 2: System Preferences Application Many options within the System Prefere

UNCLASSIFIED UNCLASSIFIED 24Chapter 4 – Configuring System Settings system’s method of restricting a user from doing this places other serious rest

UNCLASSIFIED UNCLASSIFIED 25Chapter 4- Configuring System Settings Figure 4: Active Screen Corners Panel 7. Use the pull-down menu corresponding

UNCLASSIFIED UNCLASSIFIED 26Chapter 4 – Configuring System Settings Some users reported data loss under certain circumstances when using Mac OS X

UNCLASSIFIED UNCLASSIFIED 27Chapter 4- Configuring System Settings To set the FileVault master password: 1. Click on the Show All icon in System

UNCLASSIFIED UNCLASSIFIED This Page Intentionally Left Blank

UNCLASSIFIED UNCLASSIFIED 28Chapter 4 – Configuring System Settings At this point, FileVault may now be activated for any user or administrative ac

UNCLASSIFIED UNCLASSIFIED 29Chapter 4- Configuring System Settings Figure 6: Security Panel Additional Settings 3. Place a check in the box for R

UNCLASSIFIED UNCLASSIFIED 30Chapter 4 – Configuring System Settings not complete until the user makes a decision about whether to save the file.

UNCLASSIFIED UNCLASSIFIED 31Chapter 4- Configuring System Settings 1. Click on the Show All icon in System Preferences, or restart System Preferen

UNCLASSIFIED UNCLASSIFIED 32Chapter 4 – Configuring System Settings Figure 8: CDs & DVDs Panel 3. Pull down and select Ignore for the When y

UNCLASSIFIED UNCLASSIFIED 33Chapter 4- Configuring System Settings Figure 9: Energy Saver Sleep Panel 4. Unlock the window for editing if necessa

UNCLASSIFIED UNCLASSIFIED 34Chapter 4 – Configuring System Settings Figure 10: Energy Saver Options Panel 8. Uncheck the checkbox in front of th

UNCLASSIFIED UNCLASSIFIED 35Chapter 4- Configuring System Settings 4. Click on the Internal Microphone selection (if available) and set the input v

UNCLASSIFIED UNCLASSIFIED 36Chapter 4 – Configuring System Settings send a request for information to the Apple Federal e-mail address: AppleFeder

UNCLASSIFIED UNCLASSIFIED 37Chapter 4- Configuring System Settings 6. Pull down the Location menu and repeat step 5 for any other locations in the

UNCLASSIFIED UNCLASSIFIED v Trademark Information Trademark Information Apple, Macintosh, Mac OS X, and “Panther” are either registered trademarks o

UNCLASSIFIED UNCLASSIFIED 38Chapter 4 – Configuring System Settings this guide, there is no need for this capability when configuring according to

UNCLASSIFIED UNCLASSIFIED 39Chapter 4- Configuring System Settings Figure 13: Sharing Services Configuration Panel 4. Unlock the window for edit

UNCLASSIFIED UNCLASSIFIED 40Chapter 4 – Configuring System Settings application. Only the settings that are handled within the System Preferences

UNCLASSIFIED UNCLASSIFIED 41Chapter 4- Configuring System Settings left enabled, you will need to allow them through the firewall here. 3. Click th

UNCLASSIFIED UNCLASSIFIED 42Chapter 4 – Configuring System Settings Figure 15: Internet Sharing Configuration Panel 2. The words “Internet Sharin

UNCLASSIFIED UNCLASSIFIED 43Chapter 4- Configuring System Settings 4. Click on the Login Options button near the bottom left side of the panel (Fig

UNCLASSIFIED UNCLASSIFIED 44Chapter 4 – Configuring System Settings unencrypted form on the system. The password for this account should be change

UNCLASSIFIED UNCLASSIFIED 45Chapter 4- Configuring System Settings which can automatically update the system’s date and time by communicating with a

UNCLASSIFIED UNCLASSIFIED 46Chapter 4 – Configuring System Settings 3. If necessary, uncheck the checkbox in front of Check for updates: to disabl

UNCLASSIFIED Restricting Administrator’s Home Folder Permissions UNCLASSIFIED 47Chapter 4- Configuring System Settings When FileVault is not enabled

UNCLASSIFIED UNCLASSIFIED Trademark Information This Page Intentionally Left Blank

UNCLASSIFIED UNCLASSIFIED 48Chapter 4 – Configuring System Settings 3. Click on the root item in the users column. The root user’s properties and

UNCLASSIFIED UNCLASSIFIED 49Chapter 4- Configuring System Settings 9. Click the lock icon in the lower left corner of the NetInfo Manager window to

UNCLASSIFIED UNCLASSIFIED 50Chapter 4 – Configuring System Settings 4. At the next prompt, enter: setenv security-mode command 5. To restart th

UNCLASSIFIED UNCLASSIFIED 51Chapter 4- Configuring System Settings 2) Title: Open Firmware: Password Not Recognized when it Contains the Letter “U”

UNCLASSIFIED UNCLASSIFIED 52Chapter 4 – Configuring System Settings 6. Open a new terminal window and issue the following command, replacing <x

UNCLASSIFIED UNCLASSIFIED 53Chapter 4- Configuring System Settings <string>THIS IS A DEPARTMENT OF DEFENSE COMPUTER SYSTEM. USE OF THE SYSTEM

UNCLASSIFIED UNCLASSIFIED 54Chapter 4 – Configuring System Settings Figure 20: Console Log In Mac OS X, log files are handled by either the BSD s

UNCLASSIFIED UNCLASSIFIED 55Chapter 4- Configuring System Settings mail.emerg /var/log/mail.log The facility and priority are separated by onl

UNCLASSIFIED UNCLASSIFIED 56Chapter 4 – Configuring System Settings DayOf DayOf #Minute Hour Month Month Week User Command 15 12 * * 2 root

UNCLASSIFIED UNCLASSIFIED 57Chapter 4- Configuring System Settings not permanently disable the components; however, administrative access is needed

UNCLASSIFIED UNCLASSIFIED vii Table of Contents Table of Contents Warnings...

UNCLASSIFIED UNCLASSIFIED 58Chapter 4 – Configuring System Settings running Mac OS 9 applications: booting the system into Mac OS 9, and running a

UNCLASSIFIED sudo rm –rf '/System/Library/Classic/' UNCLASSIFIED 59Chapter 4- Configuring System Settings sudo rm –rf '/System/Libra

UNCLASSIFIED UNCLASSIFIED 60Chapter 4 – Configuring System Settings This Page Intentionally Left Blank

UNCLASSIFIEDChapter 6 - Future Guidance Chapter 5 Configuring User Accounts Once the first administrator account and the root account are securely

UNCLASSIFIED UNCLASSIFIED 62Chapter 6 – Future Guidance Creating User Accounts The following instructions describe creation of a standard user acc

UNCLASSIFIEDpolicy should require a new user to change his password immediately upon first login. Chapter 6 - Future Guidance 6. Leave the Passwor

UNCLASSIFIED UNCLASSIFIED 64Chapter 6 – Future Guidance Granting Administrative Privileges An administrative user on the system can perform standa

UNCLASSIFIED Chapter 6 - Future Guidance Figure 23: Grant Administrative Privileges Limiting a User Account Two levels of limited user accounts a

UNCLASSIFIED UNCLASSIFIED 66Chapter 6 – Future Guidance 1. Click on the Show All icon in System Preferences, or restart System Preferences if nec

UNCLASSIFIEDA user with this capability enabled will be able to configure security-related items within the System Preferences panel such as the ti

UNCLASSIFIED UNCLASSIFIED viii Table of Contents Network...

UNCLASSIFIED UNCLASSIFIED 68Chapter 6 – Future Guidance 12. Click on the unlocked lock icon at the bottom of the panel to re-lock the preferences

UNCLASSIFIEDSystem Preferences Settings Chapter 6 - Future Guidance The following configuration should be done for every user account, and must be

UNCLASSIFIED UNCLASSIFIED 70Chapter 6 – Future Guidance 9. Click on the Hot Corners button at the bottom left of the Desktop & Screen Saver p

UNCLASSIFIED Chapter 6 - Future Guidance Figure 26: Disable Software Update If an internal microphone is installed on the system, it must be disa

UNCLASSIFIED UNCLASSIFIED 72Chapter 6 – Future Guidance Figure 27: Disable Internal Microphone 28. Use a dummy plug to plug the Line In jack on

UNCLASSIFIEDThe next step is to enable FileVault for this user: Chapter 6 - Future Guidance 33. Make sure all applications (other than System Pre

UNCLASSIFIED UNCLASSIFIED 74Chapter 6 – Future Guidance Overriding the Default umask The default umask value can be overridden for a particular us

UNCLASSIFIEDcertificate must be stored in a keychain. If a credential must be stored on the system, it should be stored and managed using the Keyc

UNCLASSIFIED UNCLASSIFIED 76Chapter 6 – Future Guidance login password and is automatically unlocked when the user logs in. It remains unlocked u

UNCLASSIFIED Chapter 6 - Future Guidance Figure 30: Keychain Password Change 6. From the Edit menu, select Change Settings for keychain “login”…

UNCLASSIFIED UNCLASSIFIED ix Table of Contents Creating an Encrypted Image From Existing Data ...92 Referenc

UNCLASSIFIED UNCLASSIFIED 78Chapter 6 – Future Guidance Figure 31: Keychain Settings 8. Check the configuration of each of the items in the log

UNCLASSIFIEDe. Place a check in the Ask for keychain password checkbox. With this option selected, the user will be required to provide the keych

UNCLASSIFIED UNCLASSIFIED 80Chapter 6 – Future Guidance The first keychain configured here is designed to protect credentials that are accessed fr

UNCLASSIFIED7. Click on the name of the newly created keychain to highlight it. Chapter 6 - Future Guidance 8. Select Change Settings for keychai

UNCLASSIFIED UNCLASSIFIED 82Chapter 6 – Future Guidance Figure 34: Mail Keychain Items Access Control Settings Keychain 2: Moderately accessed c

UNCLASSIFIED7. Make sure the Lock when sleeping option is selected, and that the Lock after x minutes of inactivity option is selected and set to a

UNCLASSIFIED UNCLASSIFIED 84Chapter 6 – Future Guidance 4. Type a name for the new keychain in the Save As box in the window, and click on Create

UNCLASSIFIEDguide may be used as the default keychain. If the user chooses to set a different keychain as the default, he should ensure that it is

UNCLASSIFIED UNCLASSIFIED 86Chapter 6 – Future Guidance 11. Drag the original file to the Trash. 12. Choose Secure Empty Trash from the Finder me

UNCLASSIFIEDChapter 6 - Future Guidance Chapter 6 Future Guidance Topics for consideration in future versions of this guide or in other guidance d