Mac OS X Security May 27, 2003 Meeting Minutes Attending: Dave Pugh (dpugh) Suleman Diwan (suledwan) Phil Holland (hollandp) Not Attending: Chris Brenner (cbrenner) Jim Jeffries (jwj) Jeff Kopmanis (kopmanis) Mark Montague (markmont) Lewis Donofrio (donofrio) PHYSICAL SECURITY ----------------- Undecided: UM property tag to NVRAM (discussed May 13) PREFERENCES ----------- - Firewall - outbound ports (and replies to outbound traffic) are all open by default - inbound ports to open: - NOT X - we should require users to use SSH to tunnel it - need to set the ssh_config default to always enable it. - SSH (will be enabled when service is activated) - AFS (7001?) - NetOctopus (what ports?) - restrict it to netoctopus servers only? - Anything more specific than what the GUI provides (subnets, etc) LOGIN/LOGOUT ------------ Need kx509 certificate support for single sign on - Phil brought up security concerns: can someone get to wolverine_access/coursetools as a professor without typing in a password if they have access to the machine? Not really any more dangerous than kerberos, which is widely accepted. Authorization? Just based on presence of an account? Local netinfo for machine owner Remote netinfo/ldap for admin accounts Local authentication done via local netinfo account because if you install both kerberos and ldap, it opens the machine up to everyone Admin accounts could live in separate netinfo branches of the netinfo tree so that admins from one dept couldn't access other dept machines Another option is to retain Kerberos authentication, but remove LDAP - Pro: easy fix to too much authorization problem - Con: can't see file owners AFS, login from home /etc/authorization: can put the kerberos section in later in the file which will authenticate them using their local account, but will still get their kerberos tickets Maybe create a script to change both their local and kerberos passwords when they want to do so Create a cron job that checks for valid tickets every x minutes and lauches the Kerberos utility if they are expired Check availability of Kerberos utility plugin to get AFS token after renewing Kerberos ticket Need to create a package that will enable any UM member to authenticate via Kerberos login / LDAP account info What needs to be accomplished upon logout? kdestroy unlog NetOctopus - good time to pull down updates What can/should we do with iHook? may not be useful here since logout will happen so fast THINGS TO PONDER ---------------- Concerned about the "single user mode root vulnerability"? - options include openfirmware password, inserting a custom script into the rc startup file(s) to ask for a password, and possibly changing 'secure' to 'insecure' in /etc/ttys - keep it open so that people can fix their own mistakes - leave it up to the owner to retain physical security for the box - password protecting it offers little extra stuff since someone could boot off a CD MONITORING ---------- Mike's policy: Can't be on the machine if the user is logged in, can't monitor files/ports unless part of an investigation Does virus protection actually violate that policy? What's the difference between virus protection and tripwire. How is it different than logging when someone logs in/out? Web logs track what a person does by logging their queries? Is it worth the fight? Who's going to be looking at the logs? Any reason monitoring is bad if you're just doing system files and not user data? Individual departments could always run things within their department What can (SPG) and should we do with respect to monitoring? SPG: 601.7, 601.8, 601.11 IP attacks - snort - henwen File integrity - tripwire Others? MISC ------------ ksudo - don't use it since it would not work for the desktop owner if the machine is unplugged - verify that remote admin authentication is secure Which mac browsers have x509 support?