Category Archives: Mac Security

Mac OS X Mac OS X Server Mac Security Mass Deployment

Receipts & Bills of Material in 10.8

May 18, 2013 – 6:00 am

When installing a package OS X makes a list of what it installs in /Library/Receipts/InstallHistory.plist. The dictionaries show each package installed, along with the installation date, the name displayed during installation, the version of the package being installed, the identifier of the package and the process name used to install the package. This information, along with the file name of the actual package is stored in corresponding property lists in /private/var/db/receipts. Each bill of material is also stored there, in .bom file.

approval payday loans

The lsbom command is used to see a list of objects installed by the package. You can also see the options such as the permissions assigned to files by the package as they’re installed. For example, that Twitter app from the app store; to see what it installs:

lsbom /private/var/db/receipts/com.twitter.twitter-mac.bom

This package is installed by the Mac App Store. When run, packages installed by the Mac App Store should only contain objects within that applications .app bundle. That’s a pretty good bit of information, so you can also use the -s option to constrain the output to only see the paths of files (relative paths, of course). I’m usually a fan of getting more information than less, so I usually run it adding the -m option, which shows me those permissions.

lsbom /private/var/db/receipts/com.twitter.twitter-mac.bom

Note: You can also use the mkbom command to create new .bom files. As the man page for bom indicates, this goes back to NeXTSTEP and was extended for 10.0 and again in 10.3.

Tags , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Mac Security Mass Deployment

Who Needs Root When You Can Have Simple Finder

May 17, 2013 – 6:00 am

Here’s the thing: I’m not very good with computers. So to keep me from hurting myself too badly, I need the simplest interface available that allows me to run multiple applications. But most of the command keys shouldn’t work in this interface and I should only have Finder, file and Help menus.

Luckily for my poor MacBook Airs, Apple thought of people like me when they wrote the Finder and invented something called Simple Finder which makes OS X even simpler than it is by default to use. To enable Simple Finder, just go to Parental controls, enable controls for a user and then check the box for Simple Finder. Or, if you have an entire population of users like me, who simply can’t be trusted with a full operating environment, you can send the InterfaceLevel key with the contents of simple (easy to remember for those of us who resemble said key) to com.apple.finder and restart our friendly neighborhood Finder:

defaults write com.apple.finder InterfaceLevel simple; killall Finder

Come to think of it, maybe I’m not so awful. Let’s say I want to turn that whole Simple Finder thing right back off. Well, all we have to do is delete that key we created and then restart the Finder:

defaults delete com.apple.finder InterfaceLevel; killall Finder

Actually, I am terrible with these things. So much so that it’s not appropriate for me to use a computer. Therefore, just take it away. I’ll be better off using that Samsung with Windows 8 for awhile. At least there, I won’t be able to get any of my apps open or find any of the administrative tools that could damage the computer!

Tags , , , , , , , , , | Permalink | Comments Off
Mac OS X Mac Security

Using sysdiagnose to Capture Performance Data In OS X

May 13, 2013 – 6:00 am

“My computer sometimes just runs slow,” “the fan on my laptop won’t turn off sometimes,” and “my network connection keeps dropping.” These are amongst the most annoying off problems to solve for our users because they are intermittent. And to exacerbate things, many of these users have these problems at home or at remote locations, making it difficult for systems administrators to see them.
Screen Shot 2013-05-10 at 11.31.17 AM
There is something I use in these cases, though, that has helped isolate these problems from time to time. Simply tell users to Control-Option-Command-Shift-Period when they have these problems. Doing so will run the sysdiagnose command and then open a Finder window with the output of the command. Sysdiagnose takes a quick snapshot of many common logs and performance data, zips it up and opens a Finder window, pointing to where it is (/var/tmp with the filename containing a date stamp of when the command was run). This file contains output from allmemory, lsof, top, netstat, sysctl, spindump, fs_usage, system_profiler, mount, airport, odutil and many others. Each is in its own log and easy to navigate.

When running /usr/sbin/sysdiagnose from the command line there are a couple of options. My favorite is -f (which I think must be short for favorite) which allows me to write to my file to a directory I specify rather than some random object in a tmp directory. You can also get even more output using -t. Verbose logging is obtained using -h and passing a pid will also provide information about the pid. So let’s say that process 10883 is giving me some problems. I could run the following to get some good output on my desktop:

sysdiagnose -h -t -f ~/Desktop

Anyway, hope you enjoy!

Tags , , , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Mac Security Mass Deployment Ubuntu Unix

Using allmemory To Test Memory in OS X

May 9, 2013 – 6:00 am

Earlier I wrote an article on testing memory using memtest. Memtest actually looks at the memory in a system and checks it for errors. But what about checking the systems use of memory for problems? Well, OS X has a built-in tool call allmemory that can check system or per process memory. In its most simple incantation allmemory can just be run with no options:

allmemory

This is going to result in a few errors if only because allmemory is getting a little long in the tooth. But you can also scan on a per-process basis. To do so, run allmemory with a -proc option and then the pid for the process:

allmemory -proc 13727

You can also use the following options:

  • -noframework: doesn’t show data that comes from frameworks (otherwise it does), so this option would only show the spcific process and not dependencies
  • -noprocess: doesn’t show the process, so more looking at framework utilization
  • -32bit: only show 32-bit processes
  • -64bit: only show 64-bit processes
  • -v: show address space utilization on a per process basis
  • -f: show segment utilization on a per framework basis
  • -i: show data from a previous run of the tool, which uses a path after the -i to load that data from
  • -o: outputs the data to a specific directory (otherwise it defaults to /tmp/allmemoryDataFiles). Note, when called from other Apple tools, the output is normally set within a dmg or zip in /var/tmp
  • -d: loads data from /tmp/allmemoryDataFiles if it exists
  • -P: shows information about VM regions used

There are a few other options, but those are the only ones I can remember using. Overall, allmemory is a pretty cool tool and I think that if nothing else it’s helped me to prove to vendors when I have issues with their software. I’m maybe not always happy with their responses but it’s good to prove that there’s a problem… Finally, output can look something like the following:

Screen Shot 2013-05-08 at 4.44.23 PM

Tags , , , , | Permalink | Comment (1)
Active Directory Mac OS X Mac OS X Server Mac Security Network Infrastructure Ubuntu Unix VMware Windows Server Windows XP Xsan

List All DNS Records For A Domain

May 8, 2013 – 6:00 am

Sometimes you want to move a domain but you don’t have a copy of the zone file in order to recreate records. The easy way to do this is to grab a zone transfer. To do so, dig is your friend:

dig -tAXFR mycompany.com

Sometimes though (and actually more often than not) a zone transfer is disabled. In that case you’ll need to dig the domain a bit differently. I like to use +nocmd, query for any and list the results (+answer):

dig +nocmd krypted.com any +answer

Which results in the following:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39183
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;krypted.com. IN ANY

;; ANSWER SECTION:
krypted.com. 1262 IN A 97.74.215.39
krypted.com. 3600 IN MX 0 smtp.secureserver.net.
krypted.com. 3600 IN MX 10 mailstore1.secureserver.net.
krypted.com. 3600 IN NS ns25.domaincontrol.com.
krypted.com. 3600 IN NS ns26.domaincontrol.com.
krypted.com. 3600 IN SOA ns25.domaincontrol.com. dns.jomax.net. 2010010400 28800 7200 604800 3600

;; Query time: 127 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Tue May 7 22:31:15 2013
;; MSG SIZE rcvd: 207

The above shows the naked domain name entry (yes, I still giggle every time I write the word naked so it’s ok if you giggled when you read it), all of the mail (which btw I don’t actually use that mail so please don’t try and send any at this time) and the ns servers. Now, the serial and refresh information isn’t included in this output. Actually, it is but it might not make sense, so we’ll just add the +multiline option which will make this look strangely like a zone file:

dig +nocmd krypted.com any +multiline +answer

Notice the serial, refresh, retry, expire and minimum options are now listed in a much more fashionable way:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10965
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;krypted.com. IN ANY

;; ANSWER SECTION:
krypted.com. 3225 IN A 97.74.215.39
krypted.com. 3225 IN MX 0 smtp.secureserver.net.
krypted.com. 3225 IN MX 10 mailstore1.secureserver.net.
krypted.com. 3225 IN NS ns25.domaincontrol.com.
krypted.com. 3225 IN NS ns26.domaincontrol.com.
krypted.com. 3225 IN SOA ns25.domaincontrol.com. dns.jomax.net. (
2010010400 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)

;; Query time: 22 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Tue May 7 22:32:20 2013
;; MSG SIZE rcvd: 207

And there ya’ go. You’ve basically done a zone transfer on a box, even though zone transfers are disabled. Silly DNS admins, disabling zone transfers and all that… Yes, I disable zone transfers on most of my DNS boxen as well, or at least only allow them for specific IPs… ;)

Tags , , , , , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Mac Security

Recovering Open Directory Databases

May 7, 2013 – 6:00 am

Every now and then I see an Open Directory database that’s gotten corrupt for one reason or another. To be more specific, while I see Kerberos get wonky and password server issues from time to time, every now and then I see the actual LDAP database throw errors like this one, when checked with slapd:

/usr/libexec/slapd -Tt

Corruption usually looks a little something like this:

51890ba0 ldif_read_file: checksum error on "/var/db/openldap/openldap-data/cn.bdb"
51890ba0 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded

If the bdb (Berkeley Database) files can’t be read in properly then you can do a sanity check with slaptest to see if there are other issues as well:

slaptest -f /private/etc/openldap/slapd.conf -v

Provided that your problems are with the bdb files and not ldif files, which can easily be grabbed from another OD box, you can then recover the database using db_recover, along with the -h option to define the directory your bdb files reside in (/var/db/openldap/openldap-data in OS X Server):

db_recover -h /var/db/openldap/openldap-data/

Note, always backup. If errors continue then you can also run with a -c option, which performs a “catastrophic” recovery. Also, before you do a db_recover OD will need to be stopped. Chances are, if you have corruption then the database will be stopped; however, check first:

serveradmin fullstatus dirserv

If it’s running, stop it:

serveradmin stop dirserv

Once you’re done, there’s no longer the need to reboot each time you do this kind of thing, which is actually a huge time saver, so just swap the stop with start and you’re good:

serveradmin start dirserv

Tags , , , , , , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Mac Security Mass Deployment

Testing Memory On Apple Computers

May 4, 2013 – 6:00 am

Memory can make a computer run slow, cause kernel panics and in general drain productivity. Bad memory can compound these issues by increasing the frequency of these issues. As such, testing memory every now and then will help to make your life better.

Memtest is a great little tool for troubleshooting memory problems across a variety of platforms. The tool can be installed pretty easily on clients using this little package that was posted awhile ago, but is still functional. Once you’ve installed the package installer, you can run memtest and have it check memory. To do so, just run memtest all and it will test all of your memory:

memtest all

You can also be a bit more specific about how you’re testing memory. You can define the amount of memory to test as well as the number of iterations to test through. The following command shows the first position being the amount of memory and the second position is the number of iterations, as follows (test 1024 Megs of memory and run the tests twice, logging to stderr):

memtest 1024m 2

Adding the –log operator then logs to stderr and memtest.log:

memtest 1024m 2 --log

Overall, memtest is a really easy tool to use. It’s also pretty good at isolating issues and can easily be folded into other tools!

Permalink | Comments (2)
Mac OS X Mac OS X Server Mac Security personal

Half Off My Book (and other O’Reilly Titles)!

May 3, 2013 – 7:00 am

In Celebration of *Day Against DRM* Save 50% on 5000+ Ebooks & Videos at O’Reilly (including mine). And save 60% on orders over $100, so feel free to order multiple copies of my book!

Having the ability to download files at your convenience, store them on all your devices, or share them with a friend or colleague as you would a print book is liberating, and is how it should be. This is a critical moment in the fight against DRM. A proposal currently being considered by the W3C would weave DRM into HTML5 — in other words, into the very fabric of the Web.

Ebooks from oreilly.com are DRM-free. You get free lifetime access, multiple file formats, free updates.

Use discount code: DRM2013 – Deal expires May 3, 2012 at 11:59pm PT and cannot be combined with other offers.

Tags , , | Permalink | Comments Off
certifications Mac OS X Mac OS X Server Mac Security

New 3rd Party Apple Certification Exams Now Available

May 1, 2013 – 10:01 am

After hearing about these new certifications for a good 3 or 4 years, I’m stoked that Tech2000 has now made the new Advanced OS X Certification exams available. Currently, there are three exams:

  • OS X Directory Services Specialist Certification Exam
  • OS X Deployment Specialist Certification Exam
  • OS X Mobile Device and Profile Specialist Certification Exam

These exams are a more modern rendition of what Apple Training would be providing if they still did any courses beyond the OS X Server ACTC. Basically, you can think of it as though the previous Security or Xsan exams were swapped out with Mobile Devices, which makes sense given the changing climate of things.

Now, these are not Apple exams. But I don’t really think it matters too much whether there’s an Apple logo on them or not. At the end of the day if you do this kind of stuff then it’s nice to have a 3rd party option available if you so choose to go down that route!

The Tech2000 site is available at http://www.t2000inc.com/apple/osxcertification.html.

Tags , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Mac Security

Mac Hacks From O’Reilly Media

April 16, 2013 – 5:57 pm

Mac Hacks is now available from O’Reilly Media. Full of helpful little tips and tricks from Chris Seibold, the book also sports a hack from Krypted.com. Hope you enjoy this one as much as I have!

photo

PS – Thanks to O’Reilly for the advanced copy. You’re, as always, a class act!

Tags , , , | Permalink | Comments Off

Next Page »

Next Page »