Skinny downloading

1. Exiled Lab Mac Os Download

By: James Reynolds - Revised: 2014-01-23 richard

Start studying Lab 18-1: Features and Tools of Mac OS and Linux Desktop Operating System. Learn vocabulary, terms, and more with flashcards, games, and other study tools. Insert the first disc of Exile, and copy the folder called M3Data into the Myst III Exile folder (the M3Data folder is invisible if you don’t use TinkerTool first); Copy the Data folder into EXILE Disc 1, then eject disc 1; Insert disc 2, copy the Data folder into EXILE Disc 2, then eject disc 2.

This video is educational to show how you can run MacOS vms on AMD Ryzen using Vmware Workstation for a personal test lab. Some links described in the video. There is no Mac OS X installer for Myst III: Exile, although there is an updated application. So the installer only works in OS 9, meaning that if you don’t have Classic installed on your Mac, you can’t play the game.

Introduction

This presentation discusses Mac OS X lab physical security, boot security, how to handle published exploits, passwords, world write permissions, SUID applications, how to securely modify the system, what to do with applications that stay open after logout, how to protect services that you might enable, and how to monitor your labs to ensure that they stay secure.

Section Links

Webcasts/Presentations

On 6-17-03, James Reynolds presented this material on a webcast for Mac OS X Labs.
View Webcast (link dead)

Updates to this page

This page is now in a somewhat finished state. However, as time permits, more information will be added. Basically, as the Student Computing Labs Mac Group implements each part, we will document it and add it to this page. Areas that we intend to add more information has the text 'More info coming'.

Physical Security

Physical security is ensuring that hardware is not tampered with or stolen. By tampering with hardware, it is easy to bypass any software security. Stealing hardware is a security risk because it allows a hacker to examine your hard disk, crack passwords, and generally see what you have there. For example, you may have a script that contains a clear text password. Stolen hardware just plain sucks too. Let's prevent it.
iMac Locks
The flat panel iMac has a bottom panel that can easily be opened. If you have iMacs, you either want to get special screws, or you should look at one of these products:

• iMac Lock (link dead)
  
• Apple custom new iMac high security plate lock (link dead)
  

If you are using security screws, you want to use a script that verifies your open firmware password. See below.
Security Cameras
Scare away hackers with cameras. Be sure to archive all images so that you can convict hackers. Here are 2 vendors that make good cameras.

• Axis
  

Alarms

• LightGard Fiber optic cables
  Scare away thieves with this alarm. If the fiber optic loop is broke, ring a ling ding!
  

Tamper/theft Detection

• InterMapper
  InterMapper will keep track of your computers. If one of them goes off, InterMapper can email or page you.
• Use curl and a webserver to track stolen hardware. This simple perl script will try to download a file that is named '<serial number>.html' from a webserver, but only if the computer has network access. Run it every hour or once a day with cron. Be sure to configure the webserver to log IP's.

System Profiling

• Apple Remote Desktop is capable of producing machine reports. Use these to make sure that nothing has changed.
• If you don't have ARD, system_profiler will generate a text report. A simple 'system_profiler grep DIMM' will tell you what RAM is installed in your computer. You can also use system_profiler to get the machine serial number and ethernet address.

Boot Security

Open Firmware
Open Firmware is how you ensure that users don't change the boot disk. Please read the detailed instructions to learn how more about Open Firmware, how to set it, and how to verify that it stays set.
Single User Mode

• SecureIt will prevent anyone from accessing single user mode without a password. A must have for Macs that are too old to have open firmware password. This is nice even on Macs that have open firmware password, just in case you forget to set it. Please read the detailed installation instructions.
  

Old Hardware

• Unplug zip and CD drives in hardware that does not support open firmware password.
  

Classic

• Do not dual boot. If you do, there is no way you can count on any kind of security. PERIOD.
• Lock Startup Disk prefs.
• Use a disk image. See: ShadowClassic. Also read this forum posting: Using Classic from a read-only disc image.

Published Exploits

Mac OS X has had many published holes. If you want to keep your systems safe, you must be able to push out an updated system ASAP. Choose whatever maintenance software you want. Just be aware that some will require much more time to push out an update. We recommend Radmind. Radmind has a steep learning curve, but it can push out an update to over 500 Macs in one day, if you really needed to.
Maintenance Software

• ASRX tips (link dead)
  
• Mac OS X Labs. See this site for more information about lab deployment.
  

Security Notifications
Stay on top of published exploits by knowing about them first. Following is a list of the major security sites. Be aware that these sites usually post notifications after there is a fix. If you want to be notified before it gets posted on these sites, you have to be participate in the mail lists and forums where they discuss lab deployment issues.
Security Notifications - Mac OS X Specific
General Security
If you have alot of time, you may consider visiting these websites often as well.

Passwords

It is very easy to get the encrypted password on a Mac OS X box with local users. 10 years ago the encrypted passwords were safe. Today, it is possible to crack an encrypted password because our computers are so fast. Please read more about passwords.

Admin System Changes

Realize that every change you make to the system is a potential security hole. Examples include enabling root, adding startup items, loginhook, logouthook, or cron jobs.

• How to write secure code. (link dead)
  
• Use full paths
• Use trusted system calls.
• Check input.
• Don't do anything in public space.
• Take into account your script may not finish because the Mac is force restarted. What would it do next time it is run?
• Check permissions, check permissions, check permissions (see next section).

World Writable

Track Software Installs

• Radmind. The key tool here is fsdiff.
• File Buddy. Use the 'Take Snapshot' and 'Compare Snapshots' menu items.
  

Applications that want world write rights to non-user space.

• Fix 'Crappy Apps' with links/aliases.
  

Find world writable

• Use 'sudo find / -perm -2'
• Startup script that runs 'sudo find / -perm -2' and notifies you if there is a problem.

SUID Root

• Improving the Security of a Default Install of Mac OS X.
• Writing Safe SetUID Programs.
• Dangers of SUID Shell Scripts .
• Shredding Access in the Name of Security: Set UID Audits.
• 'find / -perm -4000 -user 0'

Network Sniffing

• Use a smart switch!
• Turn port security on so laptops will not work. Ports will only work with one CPU
• Use a encrypted applications: ssh, sftp, ssl email transfer. Not telnet, ftp, non-ssl email transfer.
• Be aware a switched network isn't as secure as you think. Read why.

Logout

• It is possible to launch processes that will not quit at logout. Read more about nohup.
• Add to logouthook: 'killall -u $1' (this is ungraceful approach)
• Leave loginwindow and other system processes running, but kill all other user processes with the killsumapps script. Be sure to give it a username.
• PERL:
  system '/path/to/killsumapps.pl $ARGV[0]';
• SHELL:
  /path/to/killsumapps.pl $1
• Neither of the above methods will kill SUID root applications like top.

Services

Scan yourself now

• Port scan your box.
  

Firewall

• Ports you may want to leave open: More info coming*.
• Here are some pages that list Mac OS X ports: UCLA page, Apple KB 106439, Who's There, macosxhints, and Internet Assigned Numbers Authority

Allow lists

• sudoers. Remove '%admin' from /etc/sudoers and replace with your admin username using the visudo command (see visudo man page).
• sshd. Add 'AllowUsers username1 username2 etc' to /etc/sshd_config (see man sshd_config). The users allowed are separated by spaces. Change 'Protocol 2,1' to 'Protocol 2' in /etc/sshd_config. Also, sshd uses TCP-Wrappers.
• Enable TCP-Wrappers. Read more about TCP-Wrappers.
• xinetd uses TCP-Wrappers, or you can configure it even more (see man xinetd.config).
• Apache, read about allow lists, and use this:
• <Directory '/Library/WebServer/Documents'>
  AllowOverride None
  Order deny,allow
  Deny from all
  </Directory>
• Cron
• chmod -R o-rx /etc/crontab
  chmod -R o-rx /etc/periodic
  echo root > /var/cron/allow

The Unknown

Tripwire

• Disable update_prebinding. More info coming*.
• Radmind. More info coming*.
• FCheck. Read about FCheck.
• Tripwire on Mac OS X. Offical site. Sourceforge. Tripwire source code.
• Checkmate.
• SamHain.
• Osiris.
• Aide.

Security Scanners

• Nmap (Mac OS X version: NmapFE). Read about Nmap.
• Nessus (Mac OS X faq).
• MacAnalysis. We have negative opinions about this application, but we thought it deserves mentioning. Initially we thought it was really awesome and wrote this review (written in 2002). Our current opinion is negative because MacAnalysis never reports any problems. Either that is because MacAnalysis isn't doing anything, or Mac OS X is *really* secure, which would explain why there hasn't been a single security update from Apple... Also, it can not be automated. And it constantly asks for a new serial number, which we have to get from the developer. We just quit using it and are very unhappy with it.

Log checker

• Use a central logger. More info coming*.
• Use a log checker. More info coming*.
• Turn on extra logging in xinetd (see man xinetd.config)

Turn on process accounting

• 'mkdir /var/account'
• 'touch /var/account/acct'
• 'accton /var/account/acct' or reboot
• 'chmod o-rx /usr/bin/lastcomm'
• 'chmod -R o-rx /var/account'

Forensics
If you really have been hacked, you should turn off the computer, and don't turn it back on without talking to the police or your security department. You will probably have to remove the hard disk and turn it over to them. If you are the security department, and you don't know what you are doing, well, here are some things you can read.

• Get involved in the Mac OS Forensic and Analysis Yahoo Group. Some of the world's best Mac OS X forensic experts are in that group.
• Here is a Word document that demonstrates what a detailed forensics analysis looks like: Roland_Miller_GCFA.doc
• Watch network packets with tcpflow (see here for Mac OS X info).
• On a running box, you can use these preinstalled Unix utilities (assuming that they haven't been modified by a hacker to not show you any problems).
• 'sudo tcpdump -n' to see network packet headers (using IP's and not DNS names).
• 'sudo netstat -f inet' to see the tcp listings.
• 'sudo netstat -tan' to see all network and local sockets in use.
• 'sudo lsof' to see open files. As root, it will show you the open network sockets for all programs running on your system.
• MacSniffer for analyzing network traffic.
• Inspect hard disks without the system modifying them by using BlackBag's FireBox or WiebeTech's Forensic DriveDock. (link dead)
  

Links

• Mac OS X Security by Leon Towns-von Stauber, given at the O'Reilly Mac OS X Conference 2002 (pdf)
• Securing Mac OS X (link dead) by Simon Edwards

Books

• Mac OS X Security by Bruce Potter, Preston Norvell, Brian Wotring (May 2003)
• Maximum Mac OS X Security By John Ray, Will Ray (May 2003)

Discusses the dangers of having SSH enabled on a computer as well as recommended precautions such as disabling protocol 1, setting up user access lists, setting up IP access lists, changing the default port, and turning on the firewall.
Learn how to install and set up FCheck.
What do you get when you mix fast computers, large hard disks, lots of RAM, fast internet connections, a UNIX OS, public access to the CPU, and no monitoring? A really nice public computer lab. However, add one really smart cracker, and soon you have a really nice public lab of unauthorized internet servers. While Mac OS X is secure, it isn't impenetrable, and it is gold mine. Someday, across University campuses everywhere, really smart crackers are going to realize that cracking into convenience store safes aren't as profitable as cracking into bank vaults. When they finally realize this, it would be nice if lab admins already have security systems ready to stop them. NMap is a tool that scans a computer's network ports. Make sure that your computers don't have network ports open that shouldn't be open by using a script and cron to automate nmap scans. James will discuss and demonstrate automating nmap in our labs.
Learn what an open firmware password is, how to set one, and how to verify one.
There are 2 types of password vulnerabilities. One is a plain brute force login attempt. That is when a user (or more likely script) tries to login with common usernames and passwords until a match is found. This is a common network attack against ssh. The other is type of vulnerability is when the 'encrypted' password file is obtained. It is getting continually easier and easier to crack the encrypted password files, almost to the point that they are useless. So keeping them safe is getting to be the only way to protect yourself from this, unless you have the resources to use 2-factor authentication, like a password PLUS fingerprint/retina scan.
Discusses a single user mode vulnerability and how to avoid this vulnerability using SecureIt.
Discusses TCP Wrappers and how to configure it.

Exiled Lab Mac Os Download