Securing Mac OS X begins with the initial setup of the computer, including the drive format and operating-system installation. Trying to go back and correct problems with the initial configuration can be difficult or even impossible, so it's important to plan out what you're going to do. Considering Preinstallation IssuesBefore installing Mac OS X, you should consider how the computer's hard drives will be formatted and partitioned. Several formatting and partitioning options have potential security implications. Booting With Mac OS 9 DriversEach hard drive can optionally be formatted with Mac OS 9 drivers. Since the possibility of booting into Mac OS 9 is generally a security risk in a Mac OS X environment, you should omit this option whenever possible. Macintoshes can ship with or without preinstalled Mac OS 9 drivers. If you have any doubt about the presence of Mac OS 9 drivers, open Disk Utility and click the Info button to check.
If the Mac OS 9 drivers are present, the only way to fully remove them is to erase or repartition the entire hard drive. Note that the checkbox for installing Mac OS 9 drivers is available only when erasing an entire disk, not when erasing just a partition (even if it's the only partition on the disk). The presence or absence of a driver will not change per partition. Disabling File PermissionsFile permissions can be disabled on Mac OS Extended format (HFS Plus) volumes other than the boot volume.
Disabling (or enabling) permissions requires administrator user access, but once permissions are disabled, all users will have the equivalent of owner access to all files on the volume. If you can't count on your administrators to avoid this, you can format additional volumes in Mac OS Standard format (hierarchical file system, or HFS) rather than Mac OS Extended format (which could lead to compatibility problems, especially with older Mac OS programs). Or you can periodically run the following CLI commands to audit the volume database: sh for V in /Volumes/*; do vsdbutil -c "$V"; done exit Note If you use sh or bash as your shell, the sh and exit commands can be skipped. If you don't know which shell you use, leave them in; they will not hurt anything. If you see any local volumes listed as "disabled," you may have a problem. Retaining Mac OS 9 FilesIf the hard drive previously has been used with Mac OS 9 and contains files that need to be retained, consider copying the files temporarily to another disk, erasing the drive, and then copying the files back after installation. Files that Mac OS 9 created do not have ownership and permissions associated with them, and are readable by any user on the system. When the files are copied back under Mac OS X, they have ownership and permissions assigned based on the user who copied them. Erasing DisksWhen erasing a disk that has had important data stored on it, use one of the secure erasure features available in Disk Utility and the diskutil command-line tool, discussed in the next section. By default, erasing a disk or volume does not actually erase the data that had been stored in files on the diskit simply removes the catalog information that specified which files existed and which blocks of data belonged to those files. Even though the disk will appear blank after such an erasure, a disk editor or data recovery program may still be able to recover files from the disk. If a disk or volume cannot be erased, it is a good idea to erase the free blocks on it (those not currently containing live files), as the free blocks will usually contain data from previously deleted files. You can do this with either Disk Utility or the diskutil command-line tool. Choosing Secure Installation OptionsThere are two significant sets of choices in the process of installing Mac OS X v10.4: installation type and optional installation packages. Both sets of choices have security implications. Selecting Installation TypeWhen the installer reaches the Select a Destination screen (which enables you to choose which volume to install on), there is an innocent-looking button labeled Options near the bottom of the screen. Depending on which (if any) operating system is already installed on the volume you select, you will be allowed to choose from the applicable installation types:
Choosing Package CustomizationThe next screen will, by default, offer to perform an Easy Install on the selected volume. Normally you will want to click the Customize button so you can customize which optional system components will be installed. For Mac OS X v10.4.0, the only customizable components are print-driver collections, additional fonts, a variety of language localizations, and the X11 windowing system. The first three do not have significant security implications (although trimming them down to only the needed components is a good idea). X11, on the other hand, allows remote network access of some POSIX-layer programs. While you can configure X11 for a good level of security, doing so is beyond the scope of this book. Unless you know how to secure X11, you should not install the X11 component. Note The default Easy Install includes all printers, fonts, and languages, but not the X11 component. As far as security is concerned, this is an acceptable combination, so customization is not necessary. |