|
|
|
|
 |
|
Apple
Mac OS X v10.3.x "Panther"
Security Configuration Guide
|
Name |
Apple
Mac OS X v10.3.x "Panther" Security
Configuration Guide |
|
Version |
Version
1.1 |
|
Status |
Candidate |
| Creation
Date |
2004-10-15 |
| Revision
Date |
2004-10-15 |
| Product
Category |
Operating
System |
| Vendor |
Apple
Computer Corporation |
| Product |
Mac
OS X |
| Product
Version |
v10.3.x
"Panther" |
| Product
Role |
Desktop
or mobile client |
|
Checklist
Summary |
The
purpose of this guide is to provide an overview
of Mac OS X v10.3.x “Panther” operating
system security and recommendations for configuring
the security features. This guide provides
recommended settings to secure systems using
this operating system, and points out problems
that could cause security concerns in systems
using this operating system.
This
document consists of six chapters and two
appendices:
Chapter 1, “Scope of Guidance,”
contains an overview of the type of system
for which this guidance is intended.
Chapter 2, “Introduction to Mac OS X
Security,” contains a brief overview
of some of the key security features found
in the Mac OS X operating system.
Chapter 3, “Initial Installation”
contains step-by-step guidance for installing
a new Mac OS X system.
Chapter 4, “Configuring System Settings,”
contains information on how to securely configure
a Mac OS X system once it has been installed.
Chapter 5, “Configuring User Accounts,”
contains guidance on how
to create new user accounts, how to give an
account administrative access, how to limit
account capabilities, how to configure each
type of account to
make it secure, and information that should
be passed on to users about using their accounts
securely.
Chapter 6, “Future Guidance,” contains
information about topics that were not covered
in this guidance, but which are slated for
future guidance.
Appendix A, “Encrypting Files and Folders,”
gives instructions on two additional ways
to encrypt files under Mac OS X that may provide
additional security for information that is
to be transferred via removable
media (e.g. CD) or network.
Appendix B, “References,” contains
a list of resources used in creating this
guide. Many of these resources are valuable
sources of additional
information about Mac OS X in general, including
many features not discussed in this guidance.
Appendix C, “Additional Resources,”
contains a list of references that, though
not used in preparation of this guide, may
be of interest to the reader.
|
| Known
Issues |
Guidance
in this document is geared towards a locally-administered
Mac OS X v10.3.x system. Guidance contained
here may not be applicable to Mac OS X Server
or to a Mac OS X network.
Some instructions within this guidance are complex,
and deviation could result in serious adverse
effects on the system and its security. Modification
of these instructions should only be performed
by experienced Mac OS X administrators, and
followed by thorough testing. |
| Target
Audience |
This
document is intended for anyone managing a locally
-administered Apple Mac OS X v10.3.x system.
It is assumed that anyone using this guidance
will have some experience using Mac OS X, and
understands the basics of the Mac OS X user
interface. |
| Target
Operational Environment |
Specialized
Security - Limited Functionality (standalone) |
| Checklist
Installation Tools |
Built-in
GUI and CLI administration tools. |
| Rollback
Capability |
There
is not an automated way of rolling back the
system other than recovering from a full backup.
Some settings may be reverted by manually. |
| Testing
Information |
The
security configuration guide has been extensively
tested with Mac OS X v10.3.3 with "Mac
OS Update 10.3.4" and security updates
"Security Update 2004-05-24" and "Security
Update 2004-06-07" in a lab environment
and operational environment. |
| NIAP/CMVP
Status |
The
product has been evaluated with a NIAP-approved
Common Criteria Testing Laboratory by Apple
but this checklist does not convey the evaluated
configuration. |
| Regulatory
Compliance |
Not
applicable |
Comments,
Warnings, Disclaimer, Miscellaneous
|
The
following list contains suggestions for successfully
using the Apple Mac OS X Security Configuration
Guide:
Read the guide in its entirety. Subsequent sections
can build on information and recommendations
discussed in prior sections.
This guidance should always be tested in a non-operational
environment before deployment. This non-operational
environment should simulate the architecture
where the system will be deployed as much as
possible.
This guidance is intended primarily for a locally-administered
Mac OS X system. Much of the guidance may still
be applicable even for a Mac OS X system being
managed by another server. If the system being
configured will be centrally managed by another
system, the guidance given here should be
followed as closely as possible within that
context, but some guidance may not be applicable.
Any deviations from this guidance should be
evaluated to determine what security risk that
deviation may introduce, and measures should
be taken to monitor or mitigate those risks. |
| Disclaimer |
Do
not attempt to implement any of the settings
in this guide without first testing in a non-operational
environment.
This document is only a guide containing recommended
security settings. It is not meant to replace
well-structured policy or sound judgment.
Furthermore this guide does not address site-specific
configuration issues. Care must be taken when
implementing this guide to address local operational
and policy concerns.
The security changes described in this document
only apply to Apple Mac OS X v. 10.3.x “Panther”
and should not be applied to any other Mac
OS versions or operating systems.
|
| Product
Support |
|
| Submitting
Organization/Authors |
Systems
and Network Attack Center (SNAC), National Security
Agency (NSA) |
| Point
of Contact |
SNAC.Guides@nsa.gov |
| Sponsor |
|
| Licensing |
Unless
expressly stated otherwise to comply with license
requirements or copyrights owned by others,
information presented on NSA.gov is considered
public information and may be distributed or
copied. Use of appropriate byline/phone/image
credit is requested. In accordance with 50 USC
402, no one may use without permission from
NSA/CSS the words 'National Security Agency',
the initials, or seal of the National Security
Agency in connection with any commercial activity
or in a manner intended to convey the impression
that such use is approved, endorsed, or authorized
by the National Security Agency. |
| Checklist
Homepage |
http://www.nsa.gov/snac/
index.cfm?MenuID=scg10.3.1 |
| Download
Package |
http://www.nsa.gov/
notices/notic00004.cfm?Address=
/snac/os/applemac/osx_client_final_v_1_1.pdf |
| Integrity |
SHA1
Digest (osx_client_final_v_1_1.pdf) = ec987030952df96206bdfaea459cf8f8fb7f804d
SHA256 Digest (osx_client_final_v_1_1.pdf)
=
a411e36a6ff0070e69c4e6a3cb80b7fbbfed52e
57e81b0eaf18ee2a2db5e17e9
|
| Change
History |
Version
1.1 - 2004-10-15
|
| Dependency/Requirement |
|
| References |
Mac
OS X Maximum Security; Ray, John, and Ray, Dr.
William C.; Sams Publishing; 2003
Mac OS X Panther Unleashed; Ray, John, and Ray,
Dr. William C.; Sams Publishing; 2004
“Mac Help,” Mac OS X Panther, Apple
Computer, Inc., 2003
Inside Mac OS X, “System Overview,”
Apple Computer, Inc., 2001-2002
“Macintosh OS X Security Technical Implementation
Guide (Draft);” Version 1, Release 0; Defense
Information Systems Agency (DISA); 30 June 2003
“Apple Federal Smart Card Package Installation
and Setup Guide;” Apple Computer, Inc.;
2003
“The Mac OS X File System;” Mac OS
X Reference Library. Apple Computer, Inc; March
26, 2004. |
| NIST
Identifier |
1003 |
|
|
|
NIST and the checklist submitter do not guarantee or warrant the checklist's
accuracy or completeness. NIST is not responsible for loss, damage, or
problems that may be caused by using the checklist.
|
