Monthly Archives: December 2011

Business Mac OS X Mac OS X Server Mac Security Mass Deployment public speaking Time Machine

My New Book on Time Machine Now Available

I have published a new book on Time Machine (Time Capsule, deployment/Managed Prefs and Time Machine Server as well). I wrote it months and months ago and it finally ended up getting posted (publishing is a weird world like that sometimes). It is available for Kindle (Amazon) for now and should be up on the iBooks store as soon as the good people from iTunes Connect get back from their holiday break. To quote the Amazon excerpt:

Time Machine is Apple’s built-in backup solution that comes bundled with Mac OS X. In this book, we will explore Time Machine, looking at how to enable Time Machine, configure what to back up and where to back up to.

Much of Time Machine has to do with the network environment that a computer is in, or the ecosystem. In this book, we look at using Apple AirPort and Time Capsule in such an ecosystem. We also look at using network attached storage and other 3rd party solutions, as most environments are heterogenous.

This book is written from the ground up for Lion. As such, tools like FileVault 2 are covered. We also look at getting more granularity in your backup configuration, as well as third party tools used to backup Lion computers. And of course, no book about Time Machine in Lion would be complete without taking a look at Time Machine Server, a way to centralize backups in an environment around the Time Machine solution.

Finally, Time Machine is more scalable than ever in Lion; however, mass integration may require centralized management (such as Managed Preferences) or scripting automations to configure backups. In this book, we will look at typical deployment scenarios and what else needs to go into moving Time Machine from a basic backup tool to a much more comprehensive backup solution.

This is my first foray into the eBook publishing thing, so if you see anything off, that I missed, etc please let me know. The book is available here or using the link below:

Mac OS X Mac OS X Server Mac Security Mass Deployment Xsan

Setting Up Promise for Direct Attached Storage

With the advent of the latest Promise Arrays, I’m starting to see more and more environments stacking a boat load of shelves of storage on top of one another (e.g. for CrashPlan). As such, it occurs to me that I haven’t really covered the initial configuration of a Promise here. The way I like to set them up is using configuration scripts. I’ve been using different iterations of the same scripts for a long time. This script is meant to automatically format 1 E and 7 Js of Promise storage and setup the LUNs named EData1, EData2, J1Data1 and J1Data2, J2Data1, J2Data2, etc. These LUNs and their controller configuration is meant to be used for Direct Attached Storage (although swap out readcache w/ readahead).

Provided that the hardware is racked and the stacking cables connected properly (verify you see all of the shelves before running it), simply open Safari from a machine on the same network as the arrays and then use the Bookmarks menu to Show All Bookmarks. If you have multiple VTrak J-Class expansion chassis, connect their SAS cables from the circle SAS port on the First VTrak J-Class to the Diamond SAS port on the Second VTrak J-Class and down the line until they’re all connected. I usually like to restart them once they’re all connected (or wait until they’re connected to interconnect them). The boot sequence can take awhile when you have a lot stacked atop one another, so be patient. Don’t do any configuration until you can see all of the shelves in WebPAM…

The Promise array should have picked up an IP from DHCP and be announcing itself via Bonjour. Click on it and then log in at the WebPAM (the default username is administrator and the default password is password). Then assign a static IP address to each of the three interfaces, change the admin password and upload the following script (copy it to a new file on the desktop of the machine you’ll be uploading it from, preferably using the command line so there’s no special characters).

To upload the script click on Administrative Tools and then click on the Import tab. Set the Type drop-down menu to Configuration Script and then use the Browse button to select the file you saved this script into. Then click on Submit and provided you don’t get any errors you should see all of the lights go blue and the LUNs will start formatting.

#written by Charles Edge for Tedd
#1 E and 7 Js at 2 LUNs Each Shelf with 8 drives in RAID 5 per LUN
#Direct Attached Storage
ctrl -a mod -i 1 -s "lunaffinity=enable, adaptivewbcache=enable, hostcacheflushing=disable, forcedreadahead=disable"
ctrl -a mod -i 2 -s "lunaffinity=enable, adaptivewbcache=enable, hostcacheflushing=disable, forcedreadahead=disable"
array -a add -p 1,2,3,4,5,6,7,8 -s "alias=EData1" -c 1 -l "alias=EData1, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=1"
array -a add -p 9,10,11,12,13,14,15,16 -s "alias=EData2" -c 1 -l "alias=EData2, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=2"
array -a add -p 17,18,19,20,21,22,23,24 -s "alias=J1Data1" -c 1 -l "alias=J1Data1, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=1"
array -a add -p 25,26,27,28,29,30,31,32 -s "alias=J1Data2" -c 1 -l "alias=J1Data2, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=2"
array -a add -p 33,34,35,36,37,38,39,40 -s "alias=J2Data1" -c 1 -l "alias=J2Data1, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=1"
array -a add -p 41,42,43,44,45,46,47,48 -s "alias=J2Data2" -c 1 -l "alias=J2Data2, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=2"
array -a add -p 49,50,51,52,53,54,55,56 -s "alias=J3Data1" -c 1 -l "alias=J3Data1, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=1"
array -a add -p 57,58,59,60,61,62,63,64 -s "alias=J3Data2" -c 1 -l "alias=J3Data2, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=2"
array -a add -p 65,66,67,68,69,70,71,72 -s "alias=J4Data1" -c 1 -l "alias=J4Data1, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=1"
array -a add -p 73,74,75,76,77,78,79,80 -s "alias=J4Data2" -c 1 -l "alias=J4Data2, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=2"
array -a add -p 81,82,83,84,85,86,87,88 -s "alias=J5Data1" -c 1 -l "alias=J5Data1, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=1"
array -a add -p 89,90,91,92,93,94,95,96 -s "alias=J5Data2" -c 1 -l "alias=J5Data2, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=2"
array -a add -p 97,98,99,100,101,102,103,104 -s "alias=J6Data1" -c 1 -l "alias=J6Data1, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=1"
array -a add -p 105,106,107,108,109,110,111,112 -s "alias=J6Data2" -c 1 -l "alias=J6Data2, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=2"
array -a add -p 113,114,115,116,117,118,119,120 -s "alias=J7Data1" -c 1 -l "alias=J7Data1, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=1"
array -a add -p 121,122,123,124,125,126,127,128 -s "alias=J7Data2" -c 1 -l "alias=J7Data2, raid=5, readpolicy=readcache, writepolicy=writeback, preferredctrlid=2"
init -a start -l 0 -q 512
init -a start -l 1 -q 512
init -a start -l 2 -q 512
init -a start -l 3 -q 512
init -a start -l 4 -q 512
init -a start -l 5 -q 512
init -a start -l 6 -q 512
init -a start -l 7 -q 512
init -a start -l 8 -q 512
init -a start -l 9 -q 512
init -a start -l 10 -q 512
init -a start -l 11 -q 512
init -a start -l 12 -q 512
init -a start -l 13 -q 512
init -a start -l 14 -q 512
init -a start -l 15 -q 512

It would also be a really, really good idea to make sure that the UPS is capable of handling this much load. The arrays will likely spike power consumption for a good 10 hours. Monitor the formatting. If there are any problems, delete all of the LUNs, comment out the ctrl lines, fix whatever problems there are and run the script again. The lines that start with ctrl configure the controllers, the ones that start with array configure the arrays and the lines that start with init perform a quick initialization on the LUNs (ya, 10 hours is quick).

Finally, forcedreadahead is a setting where a lot of people eek out extra performance. For DAS environments with a lot of shelves of storage stacked through the SAS interconnects it’s hard to say whether or not you’ll realize a lot of performance gain. This can be enabled later to see, but is one of the only settings I’d really tweak in a direct attached environment. Hope this helps someone!

Mac OS X

Opening a Terminal Window From, Well, Terminal

Terminal is a great application. And we usually use Terminal for editing scripts and invoking things. But what about invoking Terminal from, well, Terminal. For starters, let’s look at opening a Terminal session to the root of the boot volume (aka /):

open -a Terminal /

The -a option, when used with the open command, allows you to define which application that the item defined in the following position will open in. For example, you could open an XML file in Xcode

open -a Xcode /usr/share/postgresql/pg_hba.conf.sample

You could then open Terminal by passing other commands into the command. For example, to open a new Terminal window to the current working directory:

open -a Terminal `pwd`

Of course, you could accomplish the same thing with:

open -a Terminal .

Or pass the output of other commands through the open command. For example, the following command opens a new file in TextEdit that contains the output of an ls command:

ls | open -f

Adding -g to any of this leaves the new window in the background rather than bringing it to the foreground, which is the default behavior. Finally, open can also be used to open URLs, but I’ve covered that sort of use for open in the past.

Mac OS X

Disable New Window Animations in Lion

New windows in Lion have an animation, by default. With older systems, this can cause issues in other applications and disabling the feature (as cool as it may be) can help to remediate that problem. To do so:

defaults write NSGlobalDomain NSAutomaticWindowAnimationsEnabled -bool NO

To then turn them back on:

defaults write NSGlobalDomain NSAutomaticWindowAnimationsEnabled -bool YES

iPhone

Running iPad Apps on Apple TV

In what in my opinion is likely to be a preamble to hacking what an eventual Apple TV would look like, enterprising hax0rs have put together windowing managers and are now running iOS apps using a custom springboard for the Apple TV. Pretty awesome stuff IMHO!

Mac OS X Mac OS X Server Mac Security Mass Deployment

10 Tips on Policy Enforcement and Tracking for Mac OS X

Large deployments of Mac OS X based systems are becoming more and more prevalent. In some ways, this is due to one to one programs and more frequent enterprise deployments of Mac OS X. As such, people are more and more looking to manage systems. And any time you have systems being managed, those using managed systems start looking to break the management of the computers. Therefore, a new topic comes up: trying to discern when a system has broken out of the management framework. For example, how do you know when users have broken your firmware password? How do you know when they’ve circumvented your managed preferences framework to give themselves teh root? How do you know when they’ve traded access to teacher tube to some other video site with more scantily clad teachers on it? How do you know when employees have unlocked the “My IT Department Sucks” badge on Foursquare at work, even though your firewall specifically doesn’t allow access to social networking sites?

Here are some tips, most of which assume there is some form of patch/policy/update management solution (e.g. Casper, Absolute Manage, FileWave, Puppet, etc) in use in the environment:

  • Create a jailed environment. If the system breaks any of the other rules then put them in the jailed environment. While in the jailed environment, revoke Internet access (e.g. set an invalid proxy, static the gateway to 127.0.0.1, kill name resolution or something like that). Also alert admins any time the system is jailed.
  • Hide your admin accounts: http://krypted.com/mac-os-x/mac-os-x-hey-wheres-my-admin-user/ and pre-Lion, possibly an entirely hidden dislocal node.
  • Check the date and time stamp of /var/db/shadow/hash daily. If the date/time stamp does not match the last time you changed the password then the system has broken the policy. In Lion, check the contents of /var/db/dslocal/nodes/Default/users and check root/your local admin, as well as your local admin password.
  • Set the firmware password: http://krypted.com/mac-os-x/those-pesky-firmware-passwords but use your patch management to set it more frequently – or check the contents of the firmware password against what it should be (such as at http://paulmakowski.blogspot.com/2009/03/apple-efi-firmware-passwords.html). You cannot “lock” or force a firmware password, but you can verify that they haven’t been changed.
  • Check pmond, if the mode of any files are not as intended then reset and alert that it was changed. You could scan other binaries, particularly in /bin, /usr/sbin, etc w/ something like tripwire: http://krypted.com/mac-os-x/basic-installation-of-tripwire
  • If Lion, enable Full Disk Encryption, which requires the recovery partition. So hack the recovery partition to remove reinstall abilities and anything else dangerous in your environment: http://krypted.com/mac-os-x/hacking-around-in-lions-recovery-mode
  • If using mcx, compare the mcxread output to that which is expected (e.g. for a user or a computer, I wouldn’t mix them given that you may get more false positives than you want)
  • Consider an old security topic: extrusion detection. Here, we look for traffic patterns that would be normal, that is, if the system were an unmanaged host. For example, if part of your management is to proxy traffic and the system is not using your proxy then that could be a problem. So look for unproxy’d traffic hitting your firewall from systems where it shouldn’t.
  • My favorite: the honeypot. Put something on the computers that looks awesome, that users just can’t help but think they just have to open. For example, a file called “Access to the Grading System” in a school or “Admin Access to Payroll System” in a company. Something almost ridiculously named. Put it somewhere that only a user with administrative access could get (like the desktop of your local admin account). When they open it, disable loginwindow.
  • Finally, take a hard line with those who break the rules. Making an example of someone is sure to end up greatly reducing those who might follow in their footsteps. In a corporate environment this can be tricky, as people have to do their jobs, but feel free to be crafty. I like the old scarlet letter approach, or caning. But given that those aren’t quite so popular any more, perhaps pop-up screens that say “HAHAHAHAHAH, we busted you – you were pwnd suckah!” every 15 minutes that flash pink and yellow so all their friends can see it isn’t a bad call. In schools, particularly in one to one environments, such would be particularly embarrassing, but we don’t want to scar them for life. Thus the significant drop in caning. You could also take the machine away for a day or two, (time to reimage it). Maybe force them to use SimpleFinder…
The balance between giving users the ability to have as open an operating environment as possible while still enforcing the basic policies that the organization has deemed are required is a struggle. Especially if all of the users have admin accounts. But we’ll address that one at a later time… For now, I’d like to hear some of the things others have done. Normally I don’t solicit commentary on my site, but I figure the site turns 8 years old in a few weeks, so why not! Oh, did I mention, there’s a prize for the most awesome comment!