Locking down Darwin

From Ben's Writing

Jump to: navigation, search

This needs a whole lot more work, but I've been using the following script to secure a basic Darwin/OS X installation.

Locking down Darwin

if [ "root" != `whoami` ]; then
    echo "Must be root!" 2>/dev/null
    exit 1 
fi

##
# Allow only root to run "at" and "cron"
##

rm -f /var/at/at.deny 2>/dev/null
rm -f /var/cron/deny 2>/dev/null
echo "root" >/var/at/at.allow
echo "root" >/var/cron/allow

##
# Set some sane permissions
##

function _chmod () {
    chmod "$@" 1>/dev/null 2>&1
}

_chmod 600 /etc/cron*
_chmod 600 /var/cron/deny
_chmod 600 /var/cron/allow
_chmod 600 /etc/ftpusers
_chmod 600 /etc/inetd.conf
_chmod 600 /etc/syslog.conf

_chmod 750 /sbin/dumpfs
_chmod 750 /usr/sbin/fdisk
_chmod 750 /sbin/fsck
_chmod 750 /sbin/fsck_hfs
_chmod 750 /sbin/fsck_msdos
_chmod 750 /sbin/halt
_chmod 750 /sbin/ifconfig 

_chmod 750 /usr/bin/lpq
_chmod 750 /usr/bin/lprm
_chmod 4750 /usr/bin/lpr
_chmod 700 /usr/bin/script

_chmod 750 /usr/sbin/edquota
_chmod 2750 /usr/sbin/lpc
_chmod 750 /usr/sbin/named
_chmod 750 /usr/sbin/nmbd
_chmod 750 /usr/sbin/ntpdate
_chmod 750 /usr/sbin/ntptrace
_chmod 750 /usr/sbin/pppd
_chmod 750 /usr/sbin/rpcinfo
_chmod 750 /usr/sbin/smbd
_chmod 750 /usr/sbin/syslogd
_chmod 750 /usr/sbin/tcpdchk
_chmod 750 /usr/sbin/tcpdmatch
_chmod 750 /usr/sbin/tcpdump
_chmod 750 /usr/sbin/vipw

Replacing md5sum

MD5 is no longer considered secure and should be replaced with SHA1. Unfortunately, Mac OS X does not currently have any pre-packaged sha1sum tools. The good news is that there is a source for it:

http://www.microbrew.org/tools/md5sha1sum/

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox