Category Archives: Mac Security

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment

DeviceScout

DeviceScout is a tool that leverages JAMF’s Casper Suite to show administrators vital statistics and show alerts on client systems. These alerts display some of the critical aspects of systems, from encryption to disk capacity to backups, there are a number of pretty cool aspects of DeviceScout.

Screen Shot 2014-04-18 at 2.55.47 PM

Using the device view, you can view serial numbers, device types, check-in status, boot volumes, memory, etc. It’s a lot of insight into what you have on your systems. I’m a huge fan of such visibility. You will need to be running Casper to leverage DeviceScout, but it provides a very simple interface for management and even techs to see what’s going on in your enterprise in as quick a manner as possible. Inventory, security status, backup status and a support menu at your fingertips.

With very simple pricing, check out what they have to offer at http://www.devicescout.com.

cloud Mac Security Network Infrastructure

Configure Syslog Options on a Meraki

Meraki has a syslog option. To configure a Meraki to push logs to a syslog server, open your Meraki Dashboard and click on a device. From there, click on “Alerts & administration”.

Screen Shot 2014-04-12 at 8.29.16 PM

At the “Alerts & administration” page scroll down to the Logging section. Click on the “Add a syslog server” link and type the IP address of your syslog servers name or IP. Put the port number into the Port field. Choose what types of events to export. This could be Event Log, Flows or URLs, where:

  • Event Log: The messages from the dashboard under Monitor > Event log.
  • Flows: Inbound and outbound traffic flows generate syslog messages that include the source and destination and port numbers.
  • URL: HTTP GET requests generate syslog entries.

Note that you can direct each type of traffic to a different syslog server.

Mac OS X Mac OS X Server Mac Security Mass Deployment public speaking

MacSysAdmin 2014!

Well, it’s that time of the year when one of my favorite conferences opens up registration! Come one, come all to MacSysAdmin for good times, good people and lots of fun Macinnerdiness! I hope to see you there! The official page is up at http://www.macsysadmin.se.
Screen Shot 2014-04-13 at 8.02.49 PM

Mac OS X Server Mac Security Microsoft Exchange Server Unix Windows Server

Heartbleed in Comics

Mac OS X Mac OS X Server Mac Security Mass Deployment

Redirect Logs To A Syslog Server In OS X

I could have sworn that I’ve written this up before, but I just tried to link it into the article for tomorrow and it’s not on my site, so here goes. To redirect logs in OS X to a syslog server, open /etc/syslog.conf and add the following line (assuming an IP of 10.10.10.92 – replace that with the IP of your syslog box):

*.*                                       @10.10.10.92

To customize the port number (e.g. 9200) use @10.10.10.92:9200 instead. This should be instant but you can always use launchctl to unload and reload syslog if for some reason it isn’t. If you’re scripting this you can then programmatically send some information to the server. For example, if you enter the following, you should see an entry for testtesttest in your syslog server for the host you just configured:

logger testtesttest

Mac OS X Mac OS X Server Mac Security Mass Deployment

That Time I Interviewed Andrina For An AFP548 Podcast

Hey, remember that time I interviewed Andrina in an AFP548 podcast? That was totally fun! We should do that again. Maybe I’ll pronounce toller right next time! #cloudwords

Mac OS X Mac OS X Server Mac Security Mass Deployment public speaking

MacAdmins Conference at Penn State

Straight from our good friends at PSU:

Register Now for the 2014 MacAdmins Conference!

We’re proud to announce that early-bird registration for the 2014 MacAdmins Conference is now open!

This year’s conference will be bigger and better than ever, with over 50 sessions on Mac and iOS administration topics, 5 brand new pre-conference workshops, and 3 amazing evening events.

Early-bird registration price is the same as last year:
* $400 conference only (July 9-11) <http://macadmins.psu.edu/conference/registration/>
* $550 conference plus pre-conf workshop (July 8-11) <http://macadmins.psu.edu/conference/registration/>

Early-bird pricing ends April 30, and we expect to sell out quickly, so register now:

<http://macadmins.psu.edu/conference/registration/>

** Pre-Conference Workshops
—————————

This year we’re introducing pre-conference workshops – 5 full-day sessions on the most important topics facing today’s Mac and iOS System Administrator:
* D&D – Deployment and Delivery
* iOS and Mobile Device Management
* More Shell Scripting than Necessary
* Python and Git for System Admins
* Mac Admin Fundamentals

Visit our Workshops <http://macadmins.psu.edu/workshops/> page for detailed descriptions. Space on these workshops is limited and they will fill up fast!  Secure your spot today. <http://macadmins.psu.edu/conference/registration/>

** Thanks for the Session Submissions!
————————————–

We had a tremendous response to our conference session call for proposals.  If you submitted a session, you’ll be hearing from us in the next few days.

** New Hashtag:  #psumac
————————————————————

The MacAdmins Conference at Penn State is @psumacconf <https://twitter.com/psumacconf> on Twitter and our official hashtag is #psumac <https://twitter.com/search?&q=%23psumac> .

Update your Twitter clients and saved searches accordingly!

============================================================

Mac OS X Mac OS X Server Mac Security Mass Deployment public speaking

MacIT Early Bird Registration

If you haven’t signed up for one of my favorite conferences ever, MacIT (alongside Macworld) then you should give it a go. If you’ve never been, it’s great and if you’ve been then it’s great to catch up with old friends. I hope to see you there!

————————————

MacIT®, taking place March 26-29, 2014, in San Francisco, CA at Moscone Center North (alongside Macworld/iWorld), is the definitive event for understanding Apple technology implementation and management in enterprise environments. Our esteemed faculty of industry experts provide detailed, impartial analysis of the technology and solution chains you face when putting iOS, OS X and Apple hardware products to work in large enterprise.

MacIT 2014 features sessions on: MDM, BYOD, IPv6, VMs, SNMP, Mavericks, iOS7 and more!

MacIT 2014 opens with a thought-provoking keynote: What the Enterprise Needs from Apple – IT Execs Speak Out.

In this special panel discussion led by IDG Communications’ Chief Content Officer John Gallant, leading IT executives and a top Apple analyst share their views on what the enterprise needs from Apple. What gaps exist in current Apple offerings? How does IT want to deal with – or not deal with – Apple? How can enterprise IT and Apple build a more fruitful partnership that makes life easier for the business and helps Apple build even better products for a future in which the line is increasingly blurred between work and the rest of our lives? The session will highlight opportunities for Apple and other companies to improve the Apple ecosystem at work.

unnamed
MacIT is uniquely positioned to help today’s IT/IS and Network managers face and conquer the mobile implementation challenges they face daily.

Register today to join your IT colleagues, technology leaders and industry experts, at the definitive event for deploying and managing Apple in the enterprise.

Register by February 28th to Save!

For the full conference program and list of speakers, visit www.macitconf.com
We look forward to seeing you next March!

Mac OS X Mac OS X Server Mac Security Mass Deployment Windows XP

Scripting PGP Whole Disk Encryption On A Mac (or Windows, really)

The PGP Whole Disk Encryption (WDE) tools have a command line interface for both OS X and Windows. The options are mostly the same across the two. We’ll focus on two for the purposes of this little article. The first is –list-user and the second is –change-passphrase, although there are a number of other options. A general breakdown of the options include the following:

  • –enum – show the disks available
  • –disk-status – show the encryption status disk indicated with the –disk option
  • –stop – stop the encryption or decryption process of a –disk using –passphrase
  • –instrument – Install BootGuard using the –disk option followed by the number of the disk
  • –uninstrument – Remove BootGuard using the –disk option followed by the number of the disk
  • –add-user – Add a PGP user (include a user name followed by –passphrase and the passphrase, as well as –disk and the number of the disk)
  • –change-passphrase – Change the password on –disk for user specified with -u on –domain with the -i to make it interactive (with an option to include a –recovery-token if you don’t have the password)
  • –list-user – List the PGP users with access to a –disk
  • –encrypt – Manually enable encryption on a –disk using a –passphrase
  • –decrypt – Disable encryption by decrypting the disk at –disk using a –passphrase
  • –recover – allow a user to recover a –disk when BootGuard is unavailable using the –passphrase

symc_pgp_wholedisk_0So let’s put these in motion. First, let’s just look at all the disks available using the –enum option:

pgpwde --enum

OK, so disk 0 is my only volume and it’s bootable. Nothing has been encrypted yet. So let’s confirm by looking at –disk-status:

pgpwde --disk-status --disk 0

Now, let’s see who’s got access to that disk:

pgpwde --list-user --disk 0

Then, let’s enable BootGuard on our volume:

pgpwde --instrument --disk 0

And then add user cedge to be able to unlock that volume, with a passphrase of krypted:

pgpwde --add-user cedge --passphrase krypted --disk 0

And then let’s encrypt it:

pgpwde --encrypt --passphrase krypted --disk 0

And finally, to change the password of that cedge account to something more secure:

pgpwde --change-passphrase --disk 0 -u cedge --passphrase krypted --new-passphrase "!Ab@nK$Ru13z"

To make scripting this a bit easier, you can also choose to skip the whole –passphrase option (since you might not know the current passphrase since they’re not typically reversible) you can use the –recovery-token option (assuming you have a token).

Note: No passwords were hurt in the writing of this article.

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Microsoft Exchange Server Network Infrastructure Ubuntu Unix VMware

Quick nmap Hacks

The nmap application is a pretty easy-to-use tool that can be used to port scan objects in a network environment. To obtain mmap in an easy-to-use package installer, for OS X check out the download page at http://nmap.org/download.html#macosx (use the same page to grab it for Windows or *nix as well). Once downloaded run the package/rpm/whatever.

Before I scan a system, I like to pull the routing table and eth info to determine how scans are being run, which can be run by using the mmap command anong with the —iflist option:

nmap —iflist

Basic Scanning
To then scan a computer, just use the mmap command followed by the host name or even throw a -v option in there to see more information (you can use a hostname or an IP):

nmap -v www.apple.com

Use the -6 option if scanning via IPv6:

nmap -v -6 8a33:1a2c::83::1a

Can drop the -v for less info on these, but I usually like more than less. Shows ports, states, services (for the ports) and a MAC address for each IP being scanned.

You can also scan a range of IPs. I usually take the lazy way for this, by using a wildcard. I can replace an octet to scan all objects in that octet. For example, to scan all systems running on the 192.168.210 class B:

nmap 192.168.210.*

You can scan a subnet, which can cover more or less than one octet worth of IPs, by including the net mask:

nmap 192.168.210.0/24

You can also just list a range, which is much easier in some cases, using the —exclude option to remove an address that will be angry if port scanned:

nmap 192.168.210.1-100 —exclude 192.168.210.25

Or to do a few hosts within that range:

nmap 192.168.210.1,10,254

Of you can even use the following to read in a list of addresses and subnets where each is on its own line:

nmap -iL ~/nmaplist.txt

By default, mmap is scanning all ports. However, if you know what you’re looking for, scans can be processed much faster if you constrain it to a port or range of ports. Use the -p option to identify a port and then T: for only TCP or U: for only UDP, or neither to do both. Additionally, you can scan a range of ports or separate ports using the same syntax used for identifying multiple hosts. For example, here we’ll scan 53, 80, 110, 443 and 143:

nmap -p 53,80,110,143,443

DO OS detection using the -A option:

nmap -A www.apple.com

For true remote OS detection, use -O with —osscan-guess:

mmap -v -O —osscan-guess mail.krypted.com

We can also output to a text file, using the -o option (or of course > filename but -o is more elegant here unless you’re parsing elsewhere in the line):

mmap -v -o ~/Desktop/nmapresults.txt -O —osscan-guess mail.krypted.com

Firewalls
Next, we’ll look at trying to bypass pesky annoyances like stageful packet inspection on firewalls. First, check whether there is actually a firewall using -s:

nmap -sA www.apple.com

Scan even if the host is protected by a firewall:

nmap -PN www.apple.com

Just check to see if some devices are up even if behind a firewall:

nmap -sP 192.168.210.10-20

Run a scan using Syn and ACK scans, run mmap along with the either -PS or -PA options (shown respectively):

nmap -PS 443 www.apple.com
nmap -PA 443 www.apple.com

Try to determine why ports are in a specific state:

nmap —reason www.apple.com

Show all sent/recvd packets:

nmap —packet-trace www.apple.com

Try to read the header of remote ports to determine a version number of the software:

nmap -sV www.apple.com

Security Scanning
Next, we can look at actually using nmap to test the attacking waters a little bit. First, we’ll try and spoof another MAC address, using the —spoof-mac options. We’ll use the 0 position after that option to indicate that we’re randomly generating a Mac, although we could use a real MAC in place of the 0:

nmap -v -sT —spoof-mac 0 www.apple.com

Next, let’s try to add a decoy, which allows us to spoof some IPs and use that as decoys so our target doesn’t suspect our IP as one that’s actually scanning them (note that our IP we’re testing from is 192.168.210.210):

nmap -n -192.168.210.1,192.168.210.10,192.168.210.210,192.168.210.254

Then, send some crazy packets (not an official term like magic packets, just my own term for throwing a curve ball at things and testing for the viability of syn-flood or Xmas packet attacking):

nmap -sX www.apple.com

Configure a custom mtu:

nmap —mtu 64 www.apple.com

Fragment your packets:

nmap -f www.apple.com

Note: None of Apple’s servers were damaged in the writing of this article. I did a find/replace at the end, when I realized I didn’t want all of you hitting www.krypted.com.