Large deployments of Mac OS X based systems are becoming more and more prevalent. In some ways, this is due to one to one programs and more frequent enterprise deployments of Mac OS X. As such, people are more and more looking to manage systems. And any time you have systems being managed, those using managed systems start looking to break the management of the computers. Therefore, a new topic comes up: trying to discern when a system has broken out of the management framework. For example, how do you know when users have broken your firmware password? How do you know when they’ve circumvented your managed preferences framework to give themselves teh root? How do you know when they’ve traded access to teacher tube to some other video site with more scantily clad teachers on it? How do you know when employees have unlocked the “My IT Department Sucks” badge on Foursquare at work, even though your firewall specifically doesn’t allow access to social networking sites?
Here are some tips, most of which assume there is some form of patch/policy/update management solution (e.g. Casper, Absolute Manage, FileWave, Puppet, etc) in use in the environment:
- Create a jailed environment. If the system breaks any of the other rules then put them in the jailed environment. While in the jailed environment, revoke Internet access (e.g. set an invalid proxy, static the gateway to 127.0.0.1, kill name resolution or something like that). Also alert admins any time the system is jailed.
- Hide your admin accounts: http://krypted.com/mac-os-x/mac-os-x-hey-wheres-my-admin-user/ and pre-Lion, possibly an entirely hidden dislocal node.
- Check the date and time stamp of /var/db/shadow/hash daily. If the date/time stamp does not match the last time you changed the password then the system has broken the policy. In Lion, check the contents of /var/db/dslocal/nodes/Default/users and check root/your local admin, as well as your local admin password.
- Set the firmware password: http://krypted.com/mac-os-x/those-pesky-firmware-passwords but use your patch management to set it more frequently – or check the contents of the firmware password against what it should be (such as at http://paulmakowski.blogspot.com/2009/03/apple-efi-firmware-passwords.html). You cannot “lock” or force a firmware password, but you can verify that they haven’t been changed.
- Check pmond, if the mode of any files are not as intended then reset and alert that it was changed. You could scan other binaries, particularly in /bin, /usr/sbin, etc w/ something like tripwire: http://krypted.com/mac-os-x/basic-installation-of-tripwire
- If Lion, enable Full Disk Encryption, which requires the recovery partition. So hack the recovery partition to remove reinstall abilities and anything else dangerous in your environment: http://krypted.com/mac-os-x/hacking-around-in-lions-recovery-mode
- If using mcx, compare the mcxread output to that which is expected (e.g. for a user or a computer, I wouldn’t mix them given that you may get more false positives than you want)
- Consider an old security topic: extrusion detection. Here, we look for traffic patterns that would be normal, that is, if the system were an unmanaged host. For example, if part of your management is to proxy traffic and the system is not using your proxy then that could be a problem. So look for unproxy’d traffic hitting your firewall from systems where it shouldn’t.
- My favorite: the honeypot. Put something on the computers that looks awesome, that users just can’t help but think they just have to open. For example, a file called “Access to the Grading System” in a school or “Admin Access to Payroll System” in a company. Something almost ridiculously named. Put it somewhere that only a user with administrative access could get (like the desktop of your local admin account). When they open it, disable loginwindow.
- Finally, take a hard line with those who break the rules. Making an example of someone is sure to end up greatly reducing those who might follow in their footsteps. In a corporate environment this can be tricky, as people have to do their jobs, but feel free to be crafty. I like the old scarlet letter approach, or caning. But given that those aren’t quite so popular any more, perhaps pop-up screens that say “HAHAHAHAHAH, we busted you – you were pwnd suckah!” every 15 minutes that flash pink and yellow so all their friends can see it isn’t a bad call. In schools, particularly in one to one environments, such would be particularly embarrassing, but we don’t want to scar them for life. Thus the significant drop in caning. You could also take the machine away for a day or two, (time to reimage it). Maybe force them to use SimpleFinder…