Manualshelf

Setup guide

ManualsBrandsApple ManualsComputer equipmentMac OS X Panther
11121314151617181920
UNCLASSIFIED
UNCLASSIFIED
4
Chapter 2 –
Intro to Mac OS X Security
from an administrator account login. This means there will be an audit log showing
when users have acted as root. Without this kind of accountability, it is difficult to
know if an adverse action on the system was the result of an administrator error or a
malicious attack. The root account should never need to be enabled, and it is
strongly recommended that root remain disabled.
Security Features
In addition to the permission-protected, multi-user environment described above,
Mac OS X incorporates a number of other security features.
Secure Configuration by Default
The system’s default configuration is one of the most important security features
provided by Mac OS X. First, as stated above, the root account comes disabled in
Mac OS X. Second, network services are all initially disabled. Third, the initial
logging setup is consistent with good security practice.
Secure Network Services
Another feature provided in Mac OS X is the SSH protocol, whose programs replace
the plaintext services such as telnet, rlogin, rcp, and ftp. These older services
do not encrypt usernames, passwords, or other sensitive data that pass over a
network between hosts. SSH provides protection for network communications by
establishing an encrypted link between hosts before any data are exchanged. The
encryption facility should be completely transparent to the user. Table 1 shows SSH
replacements for the plaintext services.
Table 1: Insecure programs and their SSH replacements
Insecure program: SSH Replacement:
telnet ssh
login slogin
rcp scp
ftp sftp
A Mac OS X system can act as an SSH client or an SSH server. As a client, no
settings require modification. The user can use the SSH client programs to connect
to remote hosts that act as SSH servers. If operationally required, the SSH server
can be started by turning on the Remote Login service in the System
Preferences. Server programs for the plaintext services should never be activated.
Use of plaintext service client programs is acceptable only when no sensitive data
will be transmitted, such as downloading a file using anonymous FTP.
Keychain
Although available in previous versions, the Keychain feature has been improved
and becomes a more important feature in Mac OS X. Keychain can be used to