Locking down Darwin
From Ben's Writing
This needs a whole lot more work, but I've been using the following script to secure a basic Darwin/OS X installation.
[edit]
Locking down Darwin
if [ "root" != `whoami` ]; then
echo "Must be root!" 2>/dev/null
exit 1
fi
##
# Allow only root to run "at" and "cron"
##
rm -f /var/at/at.deny 2>/dev/null
rm -f /var/cron/deny 2>/dev/null
echo "root" >/var/at/at.allow
echo "root" >/var/cron/allow
##
# Set some sane permissions
##
function _chmod () {
chmod "$@" 1>/dev/null 2>&1
}
_chmod 600 /etc/cron*
_chmod 600 /var/cron/deny
_chmod 600 /var/cron/allow
_chmod 600 /etc/ftpusers
_chmod 600 /etc/inetd.conf
_chmod 600 /etc/syslog.conf
_chmod 750 /sbin/dumpfs
_chmod 750 /usr/sbin/fdisk
_chmod 750 /sbin/fsck
_chmod 750 /sbin/fsck_hfs
_chmod 750 /sbin/fsck_msdos
_chmod 750 /sbin/halt
_chmod 750 /sbin/ifconfig
_chmod 750 /usr/bin/lpq
_chmod 750 /usr/bin/lprm
_chmod 4750 /usr/bin/lpr
_chmod 700 /usr/bin/script
_chmod 750 /usr/sbin/edquota
_chmod 2750 /usr/sbin/lpc
_chmod 750 /usr/sbin/named
_chmod 750 /usr/sbin/nmbd
_chmod 750 /usr/sbin/ntpdate
_chmod 750 /usr/sbin/ntptrace
_chmod 750 /usr/sbin/pppd
_chmod 750 /usr/sbin/rpcinfo
_chmod 750 /usr/sbin/smbd
_chmod 750 /usr/sbin/syslogd
_chmod 750 /usr/sbin/tcpdchk
_chmod 750 /usr/sbin/tcpdmatch
_chmod 750 /usr/sbin/tcpdump
_chmod 750 /usr/sbin/vipw
[edit]
Replacing md5sum
MD5 is no longer considered secure and should be replaced with SHA1. Unfortunately, Mac OS X does not currently have any pre-packaged sha1sum tools. The good news is that there is a source for it:
http://www.microbrew.org/tools/md5sha1sum/
Categories: Configuration | Darwin | OS X | Security | UNIX
