Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

What You’ve Learned

This chapter addresses some of the most fundamental reasons why administrators exist. Not just anyone can walk into a company and rifle through filing cabinets and access any document they like. Doors and filing cabinets are locked and only appropriate people are given keys. Company policy should define what and when to lock, and system administrators enforce those policies via technology. Mac OS X provides broad means to do so. Specific points to understand about this process are as follows:

  • Authentication is the process of identifying credentials for an account. Authorization processes determine an account’s right to perform a specific operation.

  • Credentials may be supplied as a name and password combination, two-factor authentication (ID/password plus smartcard), or public-key ID certificates.

  • Physically protecting systems is equally as important as the digital barriers. Given physical access to a machine, it can always be compromised.

  • Hardware can be disabled in software by removing or stubbing the kernel extensions that interface with specific hardware.

  • A hardware password (also known as an “OpenFirmware password”) can prevent modifications to parameter RAM and block most startup keys.

  • PAMs, or pluggable authentication modules, use libraries and modules to determine if supplied credentials are valid for a specific service. Apple has created both libraries and modules that tie into Apple-specific technology, such as Password Service that integrates services into the Mac OS X single sign-on model.

  • SSH provides a secure remote shell. All data is encrypted between the SSH client and SSH server. As credentials, SSH can use traditional name and password pairs, or digital key pairs. ssh-keygen generates an identity key pair. Connecting to an SSH server records its public key, or “fingerprint,” in the account’s ~/.ssh/known_hosts file.

  • Another form of PKI exists in Mac OS X in the form of SSL certificates. Mac OS X Server contains a Certificate Manager in Server Admin, while Mac OS X can manage certificates via the openssl command. Both platforms contain Certificate Assistant, which can generate CA files. A CSR is required for a public CA to be able to sign a self-generated certificate.

  • If your company chooses to run an internal CA, you must distribute the root certificate to internal clients for them to trust the certificate. The certificate must be imported into the system’s X509Anchors keychain.

  • The /etc/authorization file represents the Mac OS X policy database. It defines rights and rules. Most authorization attempts utilize the policy database to determine if an action is authorized. This file can be modified to grant greater or lesser rights to users.

  • Mac OS X uses both POSIX permissions and ACLs to determine access rights for file objects. Access control lists are made up of a series of rules called access control entries (ACEs). Each ACE is evaluated in order, and the first to match applies. If no ACE applies, the POSIX permissions are enforced.

  • chmod is used to set both POSIX and ACL permissions on files and folders. ls is used to view permissions—POSIX or ACL—applied to files and folders.

  • Service access control lists (SACLs) are a method of defining which users and groups have access to a given service. Definitions for SACLs are simple groups in a directory service. These can be manipulated from the shell using dscl.

  • Encryption transforms plain text information into a version that is unreadable to anyone without the decryption key.

  • The Mac OS X FileVault uses an encrypted disk image to protect an entire home directory via AES-128 encryption. Setting a FileVault master password creates a keychain called FileVaultMaster.keychain located in /Library/Keychains/. New FileVault accounts created on a computer with this keychain in place will also include the capability for recovery using the master password.

  • hdiutil can create plain or encrypted disk images. Encrypted disk images can be used to protect files and folders outside of FileVault, particularly those on removable or portable storage.


You are currently reading a PREVIEW of this book.


Get instant access to over $1 million worth of books and videos.


Start a Free 10-Day Trial

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint