Help With Stripping Leopard...

Status
Not open for further replies.
Mikuro said:
My advice on Little Snitch is not to be discouraged by the constant warnings. After a few days marking certain things as "always allow" or "always deny", it will not be a major nuisance.

True, you cannot make it 100% secure, since it's always possible to exploit one of the programs that you must allow access, like mDNSResponder.

There's only so much you can do with software. Do you have a good hardware firewall?

As for editing files, you can do it with command-line tools like vi or nano (using sudo when necessary to edit root-owned files). Personally, I like to use TextWrangler, which is a nice friendly GUI app that lets you open invisible files and also save files that require root privileges (prompting you for a password, of course). If you need to make your own .bashrc file, make sure to set the line break style in TextWrangler to "Unix (LF)" (there's a menu at the bottom of the window, next to the scroll bar).

At this point I wonder if I should go back on my previous recommendation of keeping the BSD subsystem. I'm honestly not sure what all would break if you removed it. It's worth looking into, though.
Click to expand...

oh yeah, mDNSResponder hehe! i downloaded textwrangler does that mean i just find the .bashrc files (i need to do the system one and the home one), open it, edit it & save it? do i need to use the terminal at all for this? i still want to strip my system down, is that too involved for someone to be able to help me with; seems like it might be. i havent read the nsa security that Satcomer gave me yet, i will be able to read it on tuesday and see if it can answer any of those questions.
 
You don't need to use the command line. In TextWrangler, go to File > Open Hidden. Choose "Enable: All Files" and then you can navigate to and open any file. /etc/bashrc already exists, but you'll need to create your own Home one. When you make save changes, it will ask for your password if it needs it.
 
Mikuro said:
You don't need to use the command line. In TextWrangler, go to File > Open Hidden. Choose "Enable: All Files" and then you can navigate to and open any file. /etc/bashrc already exists, but you'll need to create your own Home one. When you make save changes, it will ask for your password if it needs it.
Click to expand...

cool, thanks!!

i still want to strip my system down, is that too involved for someone to be able to help me with? just curious.
 
Mikuro said:
You don't need to use the command line. In TextWrangler, go to File > Open Hidden. Choose "Enable: All Files" and then you can navigate to and open any file. /etc/bashrc already exists, but you'll need to create your own Home one. When you make save changes, it will ask for your password if it needs it.
Click to expand...

also, thank you... exactly what i needed. yall please answer the usr/share question really quick; i cant find the answer on the internet. thx.
 
The "/usr" directory has a good amount of Unix apps and files that Mac OS X (or more likely the BSD subsystem of Mac OS X) may need to use. I wouldn't be mucking around too much in there unless you're looking to break things.

The following should help you understand the file hierarchy of Unix and Unix-like operating systems. For the most part, this also applies to Darwin (the BSD subsystem of OS X).

http://www.pathname.com/fhs/pub/fhs-2.3.html

More of the same from Wikipedia.

http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
 
CuteCari said:
do i need "bsd and flat file nis" checked in directory utility? i just use my computer to play.
Click to expand...

i dont understand this, it is from the nsa security guide:

"Understanding Network Services, Authentication, and Contacts
You can use Directory Access to configure your computer to use a network-based
directory domain. Directory search services that are not used should be disabled in the
Services pane of Directory Access....
For more information about using Directory Access, see the Open Directory
administration guide."

i still dont understand it, it is the network stuff that i dont understand, can anyone explain it in laymen terms or is it too involved? sorry i feel really stupid.
 
are the "keychains" used by the system to verify your password when logging in or are they just stored for you in case you forget it?
 
Yes, keychains are used by the system when logging in, as well as any other applications that you have allowed to save passwords in the keychain (for example, Apple's Mail.app uses the keychain to store passwords for retrieving/sending mail).

Keychains are used so that you don't have to type your ISP's mail server password every time Mail.app checks for new mail, and are used with Safari so you don't have to type your MySpace/Hotmail/etc. password every time you visit those sites, in addition to any other application that would require or use a password.

Passwords are not automatically stored in the Keychain, unless you specify that they should be (usually with a checkbox option like "Remember this password" or "Add password to keychain" or "Save this password").
 
CuteCari, the Directory Access app is there in case you need to access specific types of managed networks, such as Microsoft's Active Directory, Microsoft's old NT Domain network, etc. For home users, this isn't too important and usually what's set up in there by default (AppleTalk, Bon Jour, SMB) isn't a big deal. You could turn off stuff like Bon Jour and SMB if you're not sharing with Windows PCs, but then disabling Bon Jour would not allow you to detect other devices on your network that support Bon Jour. AppleTalk is necessary if you're sharing with other Macs. However, you can try and disabling them and see if anything weird happens (like losing network connectivity, for example). If so, then reenable them. If things continue to work as normal, then you can leave them disabled.
 
nixgeek said:
AppleTalk is necessary if you're sharing with other Macs.
Click to expand...
...only if they're pre-OS-X Macs and do not support AFP.

AppleTalk != AFP, the same way that JavaScript != Java.

AFP is the successor to AppleTalk, which was a very chatty and inefficient network protocol. AFP (AppleTalk Filing Protocol) came along and took some cues from AppleTalk, but that's it... they have similar names, but are very different network protocols.
 
ElDiabloConCaca said:
...only if they're pre-OS-X Macs and do not support AFP.

AppleTalk != AFP, the same way that JavaScript != Java.

AFP is the successor to AppleTalk, which was a very chatty and inefficient network protocol. AFP (AppleTalk Filing Protocol) came along and took some cues from AppleTalk, but that's it... they have similar names, but are very different network protocols.
Click to expand...

You're right. I just took it for face value. :p
 
ok, i have done everything that the nsa security thing said. i love it because it didnt say.... "that cant happen" or "scientifically, that is not possible", it just gave me instructions! yea!!!! (not saying that yall said those things, but you know, everyone else in the whole world did).

ok, last 2 questions. based on the fact that i do not share anything with anyone, computer wise or any other way. the only things i do on my computer now :) are....

-play with icons
-play on the internet (myspace, etc)
-go on the internet to my hotmail page
-use iChat occasionally

no mail, no iphone sync, nothing, no downloading, nothing, nothing....


first, will the command *.* /var/log/all.log make the logging permanently change to the "all log" instead of logging everything in different places... key word being permanently.

second, please see the picture of the little snitch screen i took and if you can, please tell me what i need to disable & any other info that would be helpful to me, like recognizing something or something :) hehehe...

you guys are awesome! thank you sooooo much!!
 

Attachments

  • Picture 1.png
    Picture 1.png
    126.5 KB · Views: 15
nmblookup should not be necessary unless you use file/printer sharing with Windows systems (and then only if you access them by their NetBIOS names rather than IP addresses).

ntp and ntpdate could be disabled if you don't want to synchronize your system's clock over the Internet.

As far as I know, you can safely disable the mDNSResponder rule as long as you don't use Bonjour-based services like iTunes' playlist sharing. I think you can also disable PubSubAgent if you don't use RSS feeds.

I'm not entirely sure how the AIM protocol used by iChat works, but I don't think "all connections" should be necessary to get it working. I think you should only need to connect to the AIM servers. I could be wrong, though. You can test it and see using Little Snitch's monitor. I'd do it myself, but nobody I know is online at the moment. (I feel so alooooone!)

Little Snitch won't let you delete these rules, but you can un-check them.

CuteCari said:
are you guys real? my computer is still messed up.... i dont think anything is real.
Click to expand...

:confused: Messed up how?
 
Status
Not open for further replies.
Back
Top