Apple releases Mac OS X Leopard Security Guide

Released on Monday, the guide document is a 3.4MB PDF. The guide is aimed at experienced users, Apple says, familiar with the Terminal application and its command-line interface.

Some instructions in this guide are complex, and deviation could cause serious adverse effects on the computer and its security. These instructions should only be used by experienced Mac OS X users, and should be followed by thorough testing.

The guide spans basic "hardware" security practices as well as the new security features introduced in Leopard, such as library randomization and sandboxing.

There are all kinds of tidbits in the document. For example, I didn't know about support for Smart Card authentication for unlocking and encrypted storage devices on Mac OS X.

Leopard supports four token modules with two-factor authentication mechanisms and Java Card 2.1 standards: Belgium National Identification Card (BELPIC), Department of Defense Common Access Card (CAC), Japanese government PKI (JPKI), and the U.S. Federal Government Personal Identity Verification, also called FIPS-201(PIV). Go figure.

Here's the list of topics in the guide:

Chapter 1, “Introduction to Mac OS X Security Architecture,” explains the infrastructure of Mac OS X. It also discusses the layers of security in Mac OS X. Chapter 2, “Installing Mac OS X,” describes how to securely install Mac OS X. The chapter also discusses how to securely install software updates and explains permissions and how to repair them. Chapter 3, “Protecting System Hardware,” explains how to physically protect your hardware from attacks. This chapter also tells you how to secure settings that affect users of the computer. Chapter 4, “Securing Global System Settings,” describes how to secure global system settings such as firmware and Mac OS X startup. There is also information on setting up system logs to monitor system activity. Chapter 5, “Securing Accounts,” describes the types of user accounts and how to securely configure an account. This includes securing the system administrator account, using Open Directory, and using strong authentication. Chapter 6, “Securing System Preferences,” describes recommended settings to secure Mac OS X system preferences. Chapter 7, “Securing Data and Using Encryption,” describes how to encrypt data and how to use Secure Erase to verify that old data is completely removed. Chapter 8, “Securing System Swap and Hibernation Storage,” describes how to secure your system swap and hibernation space of sensitive information. Chapter 9, “Avoiding Multiple Simultaneous Account Access,” describes how to avoid fast user switching and local account access to the computer. Chapter 10, “Ensuring Data Integrity with Backups,” describes the Time Machine architecture and how to securely backup and restore your computer and data. Chapter 11, “Information Assurance with Applications,” describes how to protect your data while using Apple applications. Chapter 12, “Information Assurance with Services,” describes how to secure your computer services. It also describes how to protect the computer by securely configuring services.