 I'm guessing you guys actually have, I'm guessing you guys actually have Mac clients then if you're still here. Right. So just before I get started, the answer to a couple of the questions or some addendums to what Jay was saying about some of his stuff. X11 is available on the installer CD for any OSX installer. So that's pretty easy to grab. Grab. Apache. Another really good reason to do what Jay was talking about, rip out the old Apache files and insert new ones is because Apache as it's built on OSX is not that great. So if you rebuild it from scratch, it actually operates maybe 250% better performance. I mean, it does not perform on OSX very well. So there's a program called MAMP that'll do a lot of that for you. But just to continue with what he was saying, there's another great reason other than security to replace the Apache configuration on OSX, which is performance. And then the repair permission stuff. If someone builds a cocoa installer and puts a DMG file in there that indicates the permissions that should be applied and timestamps them appropriately, in other words, if they build a proper installer for it, then when you do a repair permissions, it should respect those permissions. And then I was just going to give a heads up to Little Snitch as well. That's a good program. And Little Snitch and PGP both, I don't include in my presentation, but they definitely deserve inclusion. So all right, so Mac OSX security tools. Basically I'm just picking up where Jay left off. So rather than, I guess rather than more of an internal side, I'm talking about different system tools that you apply after you do Bastille, so to speak. But I definitely heavily endorse Bastille. I've been using it in beta as well, and it's great. And obviously we definitely always assume that the system is going to be compromised when we deploy them, right? I mean, not assume that it is, but assume that it can be. Does anyone mind if I kill my presentation and give it the way I gave my last one? I hate the transforms and things. So all right, so as Jay talked about, Bastille is a great tool for locking down Macs. A lot of what it does involves the internals IPFW, some of the other services like CUPS obviously we saw, and we're going to pick up where he left off. The first tool, Nagios, who here runs Nagios? There's a great book on Nagios available, I think, at the No-Starch desk from No-Starch Press. It's a great book. Nagios is more of a system monitoring tool, and you can build customizable rules for it. And large-scale Mac deployments, it's great. It builds perfectly on the Mac. In fact, at Macworld last year, someone gave a talk specifically on running Nagios on Mac networks. So, big fan of Nagios. Who here's used Radmin? Radmendi, the Apple certified trainer. This is a program out of the university level, which have very large-scale Mac deployments in a lot of cases. I think University of Helsinki is over 20,000. And it's a centralized software update tool for non-packaged installers. If you have more than, I'd say, 5,000 Macs, then you've pretty much outgrown what ARD can do for you, and jumping into Radmin is definitely a good solution. You can also deploy config files and other specific file-based things. And it's free. And then Tripwire. Who here's used Tripwire? Not everybody? You're here. Have you... Anyone who's used Tripwire, have you opened your laptop at the conference? Yay, you admitted it. So Tripwire makes hashes of your file system, and then you can quickly compare for system changes and things of that nature. There is a great GUI tool for Tripwire. If you're still using it at the command line for the Mac called Checkmate, plugs directly into your system preferences, it does not work on the Intel chip set, which I've been testing a lot of stuff on the Intel chip set, but the tools that I use mostly. So for that, you might still need to use the command line Tripwire, but it's a pretty good GUI tool, and it plugs straight into your system preferences. RK Hunter is just a thing that looks for known root kits. Personally, I script both Checkmate and Tripwire and RK Hunter to run at night on systems to check. OS X server specifically comes with Clam AV installed, so you can actually without doing any installation or any updates, you can actually script Clam AV to run every night. So it's built into the OS. For OS X workstation, it's not. There is a program that will build it into the OS at the GUI level called Clam X AV. Who's run that before? That's a great little tool. My only issue with Clam X AV is it does not actually repair viruses. It only detects them. So you still need to end up getting Norton antivirus if you get infected, which most Macs are infected. And that's not necessarily Apple's fault. It's Microsoft Office in the most cases. So next snort, who's run HINWIN before? And who's run Snort in the command line on OS X before? So a couple fewer hands, fewer hands, sorry, yeah, freeBSD doesn't count. As Apple engineers often tell me, OS X is not freeBSD. When I talk about editing certain files, they're like, dude, that's not going to work. Anyways, HINWIN is helping Mac people be more secure by actually applying not only intrusion detection but intrusion prevention based on the Guardian Pearl script that you can launch within. So of the people who use HINWIN, who uses the Guardian script inside of HINWIN? So I have teachers that do that, which is kind of an interesting concept. Like your third grade teacher running intrusion prevention system, but that's a great tool, especially if you're not concerned about a client that would actually be able to be used for DNS, DOI systems and things of that nature. So as far as Guardian goes, there is always the ability to essentially attack the system. I mean, who all saw the dance talk last year? So you can always attack a system that you know is running some kind of intrusion detection system, but using known IP addresses that that machine needs to communicate with and therefore DOS the machine based on the network services that it needs. So that's something to be concerned with if you're running SNOR or any of the crime servers, but for the most part if you're doing extrusion detection type of security, you don't really need to worry about that for the most part. And then SNOR obviously awesome customer headsets, you can, in a lot of Mac environments we see Sonic walls that seems to be a very good marriage for Sonic wall and Apple, etc. And in those cases you can actually run different plugins for SNOR that will update the Sonic wall and block IPs based on the rules that have been tripped up. Also, by the way, when it takes out the need to install LibCat, it actually automatically does all the things that you normally have to do by hand to get started to work on them. So it's an excellent way to work on them. It also doesn't run on install shows. So how about desktop? ARD 3.0 has a lot of updates over ARD 2, if you were using ARD 2 it's part of being extra 500 bucks or whatever for it. It's used primarily for keeping software updated, deploying package based installers. It basically, Radmines should have gone after this in my presentation because it fills the gaps of ARD. So ARD gives Apple OS X BNC, it gives it the ability to send shell commands to client machines without SSH. But what it doesn't do is it doesn't deploy non-package based installers. So in a lot of environments people will build lists of the files that have been changed and then deploy those in ARD, but Radmine actually kind of fills that void. So local administrative users automatically have access to an ARD client. So if you turn ARD on, any local admin user has access to the system. And then, yeah, I already said that. So the next thing, Open Directory, I said password policies, but I should have just said Open Directory policies. A big movement in the Mac OS X server community is to cross realm Mac server with Active Directory, therefore providing Open Directory, which is Apple's version of Active Directory, and Active Directory to your network. What that enables you to do is have your Kerberos authentication occur through Active Directory and then have any policies that you want applied to your Macs still be applyable through OS X server. That's one of the things that I've been doing for six months, about 80% of my time. So it's kind of a big trend in more enterprise level networking. And in a lot of those cases you'll have 300, 400 Macs in a 10,000 node environment. So you don't want to necessarily extend your Active Directory schema to accommodate for them. And cross-roaming helps you keep from having to do that. Another great product, which I think I mentioned in a later slide, but fits in here, is Centrify. Centrify will allow you to do those same things. But it will actually allow you to edit those from the GPO tools. And who's used Active Directory with the GPO tools and, okay, so, all right. So I guess I don't really need to cover too much about IPFW because Jay kind of went into a lot of that. But there's also another thing that you can run in conjunction with IPFW called dummy net, which rather than block traffic allows you to throttle traffic. So for example, if you're running an Apple file protocol server and you want to limit the traffic that AFP or NFS can take on that server, you can actually use dummy net to limit that to half a gigabit, you know, on a gigabit interface. Or if you're aggregating your links, maybe a gigabit on a 2-gig interface. This actually expands your ability to do traffic control, which is kind of cool. In an open directory environment, by the way, password server doesn't replicate across your topology. So what this can do is, by default, each Mac is going to look at your open directory primary controller. So what you can do, you can use dummy net to actually throttle the traffic for each node. So you can essentially force them to use replicas as opposed to your main servers, you know. That's kind of a cool feature that it would be nice if Apple actually built in to a GUI. So if there happens to be anyone from Apple in the audience. So I gave Centrify a full slide. It's a nice product. It's clean. You can actually add any active directory schemas. It just kind of puts MCX files out in the open. So what's an MCX file? If you have needs, like let's say you want all of your Photoshop users to be limited to not have a certain menu or something of that nature, you can actually customize your rules or your policies in open directory as MCX files. So that's kind of a cool feature. It makes the policy settings extensible. When you customize those MCX files, then you can plug them straight into open directory and have them replicate throughout your Mac enterprise. Bestial will export its settings into MCX. So you can actually configure something in Bestial and then plug it directly into open directory and push it out like that. So very nice feature. How am I on time? Anyone? All right. So service control. I kind of mentioned the fact that Kron is deprecated in OSX. It's pretty easy to actually fire it back up. You just run it once, reboot, and Kron is good again. But Apple is planning on removing it completely at some point and so they're trying to push everyone really heavily into moving over to using LaunchD. Was everyone here in my previous speech or? No. Right on. So just to cover, there is a GUI tool for LaunchD and it's called Lingon and you can deploy it across a lot of machines pretty quick using ARD. It's packaged installer. Then just gives you a MS config looking screen and allows you to configure services that way. And it allows you to configure whether or not it's running as the user or root or something of that nature. So Lingon makes it pretty easy to determine which applications are loading and why as well. So if you've got a machine that's running slow, it gives you more troubleshooting tools. So you can actually look at a service, look at the path that's firing up the service, look at why it's firing up the service essentially and then disable it and push that out as a policy or just push it out as a config file change. So unlike traditional BSD flavors, Apple highly discourages you to actually customize your RC files. So if you edit your RC.local, then it can be replaced at any given point in time like your next reboot possibly. So don't do that. And if you are a member of the OSX server list and you say edit your RC.local file like I did a pretty good while back, then expect to get flamed because they can be pretty, you know. So then I just listed a few paths for other startup items. So if you've got other startup items and you want to disable them or look at what's starting up and why, then it's right there. All right. So reacting to security incidents is kind of interesting in the Apple community. In a lot of cases, they're not used to it. So they don't react to it. They'll just reformat the machine and move on or something of that nature. Securing systems is one thing, I don't even like this slide, sorry. Has anyone used Symantec iButton by the way? That's a great little feature that they plugged into their new stuff. It doesn't run on Mac. It's more of a Windows thing, but it's a nice product. When it comes to building your own tools, things like Cocoa Development, X11 Development, there are a lot of Cocoa guys that will actually help and guide you through building Cocoa installers or real basic installers if you want to go down that route for the Apple platform. And then if you build a tool based on a bunch of shell commands, you can easily port them into Cocoa. You can just create a button and apply them to a shell script. So it's not that difficult to build your own security tools if you want to deploy them for your users. In addition to Cocoa, there's also AppleScript, which is less GUI-oriented. And in addition to AppleScript, there's this thing called Automator, which is a great way to send people things like shell scripts that fire up and run RMSpace-rf or something. So, anyways, that was lost on everybody here. Was it just me? You can do it! Anyways, so the Apple community is becoming a lot more friendly to security, but I still get asked the question a lot of times, why do I need a password? And that's something great to know if you're doing, let's say, pin testing in the Apple community, which gets us into traditional security tools like Nessus and Metasploit, which are available for the Mac and pretty much fully compatible. In some cases, as someone from Apple pointed out to me at Black Hat, Nessus may misstate the version of a service that's running and misstate vulnerabilities that might not be existent because Apple may have updated the package but not updated the header file for the package. For example, OpenSSL. So in those cases, manually just updating your header files will fool Nessus and get you completely around that. Not all the tools that are available on Windows are available for the Mac, just like they're not available for Linux. As with other security audits, no single tool is a one-stop shop. And then the last thing I say here is that the business workflow is often very different. Like I said, people still ask, why do I need a security? Why is it that if I enter my password more than three times, it locks me out? They're very, in a lot of cases, ambivalent towards security. And when you're architecting a solution or architecting a network, this can kind of get in the way. For the most part, they're catching up. So the fact that they've had exploits and they've had bugs and like the new airport drivers, they're starting to kind of get the point. That was my hour-long talk condensed down to 15 minutes. Questions? Thanks. Yeah. I think I was just going for making them a little different. The typical load balancer or the typical firewall that you might see in more of an enterprise environment, like as was pointed out earlier, a lot of Mac environments still have like a dedicated DSL connection, and the network admins actually don't attach them to their corporate network. They're not running, in a lot of cases, any centralized username, password, authentication. In a lot of cases, it's just 100 standalone machines that happen to, by the way, tap directly into the exchange server or the Lotus Note server using the Mac client and therefore offer some form of connectivity between the networks, albeit discrete in some cases. So I still see a lot of networks and a lot of network administrators that are just like, I don't want any Macs on my network, period. They get to go on that network, and we just do our thing. And I mean, for the most part, SAMA, CIFS, it's the same protocols now, and it's becoming a different environment. And I think a lot of Windows admins just haven't picked up on that yet. Can I run my mouth for a second? Sure enough. All right. A couple of things. The Open Directory password policies don't get applied if you're authenticating the Active Directory. It'd be the Active Directory policies, right? If you're cross-roaming, your Open Directory policies get applied to Mac clients. Well, the preferences would, the managed. The golden triangle? Yeah. Well, yeah, it depends on how you're doing it, but your authentication is still coming from the Windows side. So the policies. Yeah. If I missed it. Oh, no. Like I said, I'm just running my mouth. No, that's true. That's what I'm here for. The Kerberos still comes from Windows, and then your policies come from your MCX files on the Macs. And ARD only has, is only enabled on admin users in the rare instance of the very first admin user created in server if you enable it in the setup pane. All other users have to, on a per user basis, you have to set up the privileges, actually, unless you install them via like a custom package. Because it maintains a separate. Is that just for three or for two one as well? Two did that actually as well. So like on server, the very first admin has it, and then everyone else, like if you create subsequent admins from there, they don't have any access. And then ARD3 now you can limit by what, if they're an admin or a non-admin, you can actually kind of limit what their privileges are. But yeah, you still have to enable them individually. So, I mean, well, you can test it. Yeah, well, yeah. We'll think for the later. And so, a password server does replicate. It's the first server it can find. So like it's like a ping test, basically. So it will contact the master and the replica. And if the replica talks to it quicker than the master does, then it'll off that way. But like, you know, so, like you said, just upstaging and running my mouth. No worries. No, if I said something wrong. I mean, I've definitely seen a lot of cases. And maybe it was fixed in 1047 where Sassel and various components just don't, it's all about the topology. And in almost every case that I've ever touched an open directory network, it was deployed wrong. And I mean, I've seen open directory networks with Kerberos that don't have network time servers, that don't have DNS servers. And those are core components of any network service. I mean, you can't install Active Directory without installing DNS for the most part. So, and that's the same, it should be the same in an open directory installation. If you click on the start open directory button, it should say, you don't have DNS configured. Did I create a reverse IP address? And you know, yeah, next week. So anyways, any other questions? Deep freeze? Deep freeze. Right on. I'll play with it tonight. I haven't played with it yet. All right. Thanks, guys.