krypted.com

Tiny Deathstars of Foulness

I’d written an efi version checker. But the lovely Andrew Seago texted me one that’s better than mine. So I present it here: current_efi_version=`/usr/libexec/efiupdater | grep "Raw" | cut -d ':' -f2 | sed 's/ //'`
echo "current_efi_version $current_efi_version"
latest_efi_version=`ls -La /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle/allowlists/ | grep "$current_efi_version"`
echo "latest_efi_version $latest_efi_version"
if [ "$latest_efi_version" == "" ]; then
echo "EFI FAILED"
exit 1
else
echo "EFI PASSED"
exit 0
fi

November 2nd, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Uncategorized

Tags: , , ,

One Comment

The following is a list of application bundles that come pre-installed with macOS that are protected by SIP:
/Applications/App Store.app
/Applications/Automator.app
/Applications/Calculator.app
/Applications/Calendar.app
/Applications/Chess.app
/Applications/Contacts.app
/Applications/DVD Player.app
/Applications/Dashboard.app
/Applications/Dictionary.app
/Applications/FaceTime.app
/Applications/Font Book.app
/Applications/Game Center.app
/Applications/Image Capture.app
/Applications/Launchpad.app
/Applications/Mail.app
/Applications/Maps.app
/Applications/Messages.app
/Applications/Mission Control.app
/Applications/Notes.app
/Applications/Photo Booth.app
/Applications/Photos.app
/Applications/Preview.app
/Applications/QuickTime Player.app
/Applications/Reminders.app
/Applications/Safari.app
/Applications/Siri.app
/Applications/Stickies.app
/Applications/System Preferences.app
/Applications/TextEdit.app
/Applications/Time Machine.app
/Applications/Utilities
/Applications/iBooks.app
/Applications/iTunes.app
/Applications/Utilities/Activity Monitor.app
/Applications/Utilities/AirPort Utility.app
/Applications/Utilities/Audio MIDI Setup.app
/Applications/Utilities/Bluetooth File Exchange.app
/Applications/Utilities/Boot Camp Assistant.app
/Applications/Utilities/ColorSync Utility.app
/Applications/Utilities/Console.app
/Applications/Utilities/Digital Color Meter.app
/Applications/Utilities/Disk Utility.app
/Applications/Utilities/Grab.app
/Applications/Utilities/Grapher.app
/Applications/Utilities/Keychain Access.app
/Applications/Utilities/Migration Assistant.app
/Applications/Utilities/Script Editor.app
/Applications/Utilities/System Information.app
/Applications/Utilities/Terminal.app
/Applications/Utilities/VoiceOver Utility.app
/Applications/Utilities/X11.app
Note: Files located in /System, /usr, /bin, and /sbin are recursively protected as well.

October 2nd, 2017

Posted In: Mac OS X, Mac Security

Tags: , , ,

The first thing you’ll want to do on any server is setup the networking for the computer. To do this, open the System Preferences and click on Network. You usually want to use a wired Ethernet connection on a server, but in this case we’ll be using Wi-Fi. Here, click on the Wi-Fi interface and then click on the Advanced… button.

At the setup screen for the interface, provide a good static IP address. Your network administrator can provide this fairly easily. Here, make sure you have an IP address and a subnet mask. Since we need to install the Server app from the Mac App Store, and that’s on the Internet, you’ll also need to include a gateway, which provides access to the Internet and using the DNS tab, the name servers for your Internet Service Provider (ISP).
 
Once you have provided a static IP address, verify that you can route to the Internet (e.g. open Safari and visit a website). Provided you can, the first step to installing macOS Server onto High Sierra is to download the Server app from the Mac App Store. To do so, open the App Store app and search for Server. In the available apps, you’ll see the Server app from Apple. Here, click on Buy and let the app download. That was pretty easy, right. Well, the fun has just gotten started. Next, open the app.

When you first open the Server app, you’ll see the Server screen. Here, you can click on the following options:
  • Other Mac: Shows a list of Macs with the Server app that can be remotely configured. Choosing another system does not complete the setup process on the system you’re working on at the moment.
  • Cancel: Stops the Server app setup assistant and closes the Server App.
  • Continue: Continues installing the Server app on the computer you are using.
  • Help: Brings up the macOS Server manual.
 

Click Continue to setup macOS Server on the machine you’re currently using. You’ll then be prompted for the licensing agreement from Apple. Here, check the box to “Use Apple services to determine this server’s Internet reachability” and click on Agree (assuming of course that you agree to Apple’s terms in the license agreement).

Installing macOS Server must be done with elevated privileges. At the prompt, enter the credentials for an account with administrative access and click on the Allow button.

The services are then configured as needed and the command line tools are made accessible. This can take some time, so be patient. When the app is finished with the automation portion of the configuration, you will be placed into the Server app for the first time. Your first order of business is to make sure that the host names are good on the computer. Here, first check the Host Name. If the name doesn’t resolve properly (forward and reverse) then you will likely have problems with the server at some point. Therefore, go ahead and click on Edit Host Name… Here, enter the fully qualified address that the server should have. In the DNS article, we’ll look at configuring a good DNS server, but for now, keep in mind that you’ll want your DNS record that points to the server to match what you enter here. And users will use this address to access your server, so use something that is easy to communicate verbally, when needed.

 
At the Change Host Name screen, click Next. At the “Accessing your Server” screen, click on Internet and then click on the Next button.



At the “Connecting to your Server” screen, provide the Computer Name and the Host Name. The Computer Name is what you will see when you connect to the server over Bonjour and what will be listed in the Sharing System Preference pane. The Host Name is the fully qualified host name (fqdn) of the computer. I usually like to take the computer name and put it in front of the domain name. For example, in the following screen, I have osxserver as the name of the computer and osxserver.krypted.com as the host name.



Once you have entered the names, click on the Finish button. You are then prompted to Change Host Name. Click on Change Host Name at this screen.

Next, let’s open Terminal and run changeip with the -checkhostname option, to verify that the IP and hostname match:

sudo changeip -checkhostname


Provided that the IP address and hostname match, you’ll see the following response.

sudirserv:success = “success”

If the IP address and hostname do not match, then you might want to consider enabling the DNS server and configuring a record for the server. But at this point, you’ve finished setting up the initial server and are ready to start configuring whatever options you will need on the server.

September 28th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

macOS Server has long had a VPN service to allow client computers to connect to a network even when they’re out of the home or office. And as with many a service on macOS Server, this is one of the easiest VPN servers you’ll ever setup. The server was once capable of running the two most commonly used VPN protocols: PPTP and L2TP. And while PPTP is still accessible via the command line, L2TP is now configured by default when you setup the server using the Server app.

Setting Up The VPN Service In macOS Server

To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings  screen has a number of options available, as seen here.

The VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we’ll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:
  • Client Addresses: The dynamic pool of addresses provided when clients connect to the VPN.
  • DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.
  • Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over.
  • Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (macOS using the profiles command, iOS using Apple Configurator or both using Profile Manager).
  • Shared Secret: A passphrase that must be supplied by the client prior to getting a username and password prompt.
Once configured, open incoming ports on the router/firewall. While deprecated(ish) PPTP runs over port 1723. L2TP is a bit more complicated, running over 1701, but also the IP-ESP protocol (IP Protocol 50). Both are configured automatically when using Apple AirPorts as gateway devices. Officially, the ports to forward are listed at http://support.apple.com/kb/TS1629.

Using The Command Line

I know, I’ve described ways to manage these services from the command line before. The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required:

sudo serveradmin start vpn

And to stop the service:

sudo serveradmin stop vpn And to list the available options:

sudo serveradmin settings vpn

The output of which shows all of the VPN settings available via serveradmin (which is many more than what you see in the Server app:

vpn:vpnHost = "odr.krypted.com" vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1 vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128 vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains:_array_index:0 = "jamfsw.corp" vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:0 = "10.10.16.200" vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:1 = "10.1.16.20" vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:_array_index:2 = "8.8.8.8" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2" vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2" vpn:Servers:com.apple.ppp.pptp:EAP:KerberosServicePrincipalName = "vpn/odr.krypted.com@OSXSERVER.KRYPTED.COM" vpn:Servers:com.apple.ppp.pptp:enabled = no vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP" vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP" vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5 vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA" vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL" vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0 vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1 vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60 vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2" vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0 vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth" vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1 vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200 vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE" vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "10.10.23.255" vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "10.10.23.254" vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual" vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4" vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128 vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0 vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1 vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains:_array_index:0 = "jamfsw.corp" vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:0 = "10.10.16.200" vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:1 = "10.1.16.20" vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:_array_index:2 = "8.8.8.8" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2" vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2" vpn:Servers:com.apple.ppp.l2tp:EAP:KerberosServicePrincipalName = "vpn/odr.krypted.com@OSXSERVER.KRYPTED.COM" vpn:Servers:com.apple.ppp.l2tp:enabled = yes vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP" vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP" vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5 vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB" vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL" vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0 vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60 vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1 vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2" vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth" vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log" vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200 vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain" vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = "" vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp" vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret" vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = "" vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None" vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <> vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "10.10.23.128" vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "10.10.23.254" vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual" vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec" vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "Yq!XdGsVyAY?o;9jnj

To disable L2TP, set vpn:Servers:com.apple.ppp.l2tp:enabled to no:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled = no

To configure how long a client can be idle prior to being disconnected:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 10

By default, each protocol has a maximum of 128 sessions, configureable using vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 200

To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option:

sudo serveradmin fullstatus vpn


Which returns output similar to the following:

vpn:servicePortsAreRestricted = "NO" vpn:readWriteSettingsVersion = 1 vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2" vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0 vpn:servers:com.apple.ppp.pptp:enabled = yes vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128" vpn:servers:com.apple.ppp.pptp:Type = "PPP" vpn:servers:com.apple.ppp.pptp:SubType = "PPTP" vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth" vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2" vpn:servers:com.apple.ppp.l2tp:Type = "PPP" vpn:servers:com.apple.ppp.l2tp:enabled = yes vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0 vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP" vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth" vpn:servicePortsRestrictionInfo = _empty_array vpn:health = _empty_dictionary vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log" vpn:configured = yes vpn:state = "STOPPED" vpn:setStateVersion = 1

Security folk will be stoked to see that the shared secret is shown in the clear using:

vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue

Configuring Users For VPN Access

Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar.

At the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services.

At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user. If not, click Manage Service Access, click Manage and then check the VPN box.



Setting Up Client Computers

As you can see, configuring the VPN service in macOS Server 5.4 (running on High Sierra) is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so on a Mac, open the Network System Preference pane.

From here, click on the plus sign (“+”) to add a new network service.



At the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create.



At the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings.



At the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user’s password in the User Authentication Password field. When you’re done, click OK and then provided you’re outside the network and routeable to the server, click on Connect to test the connection.

Conclusion

Setting Up the VPN service in macOS Server 5.4 is as simple as clicking the ON button. But much more information about using a VPN can be required. The natd binary is still built into OS X at /usr/sbin/natd and can be managed in a number of ways. And if you’re using an Apple AirPort as a router (hopefully in a very small environment) then the whole process of setting this thing up should be super-simple.

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , ,

macOS Server 5.4 running on High Sierra (macOS 10.13) has an adaptive firewall built in, or a firewall that controls incoming access based on clients attempting to abuse the server. The firewall automatically blocks incoming connections that it considers to be dangerous. For example, if a client attempts too many incorrect logins then a firewall rule restricts that user from attempting to communicate with the server for 15 minutes. If you’re troubleshooting and you accidentally tripped up one of these rules then it can be a bit frustrating. Which is why Apple gives us afctl, a tool that interacts with the adaptive firewall.

To enable the adaptive firewall, use the -f option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f

Alternatively, use the -X option to disable the Adaptive Firewall:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -X

Once run, you’ll receive an error similar to the following:

Sep  8 14:16:18  afctl[16987] <Notice>: Unloading the launchd job

Sep  8 14:16:18  afctl[16987] <Notice>: Setting the start behavior to disabled

Sep  8 14:16:18  afctl[16987] <Notice>: Clearing out the blacklist

No ALTQ support in kernel

ALTQ related functions disabled

1/1 addresses deleted.

Once started, the most basic task you can do with the firewall is to disable all of the existing rules. To do so, simply run afctl (all afctl options require sudo) with a -d option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -d


You’ll receive no response on successful runs. When run, the adaptive firewall’s rules are disabled. To re-enable them, use the -e option:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -e

Turning off the rules seems a bit much for most troubleshooting tasks. To remove a specific IP address that has been blacklisted, use the -r option followed by the IP address (rules are enforced by IP):

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -r 192.168.210.88

To add an IP to the blacklist, use the -a option, also followed by the IP:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -a 192.168.210.88

Once run, you’ll get a message as follows:

No ALTQ support in kernel

ALTQ related functions disabled

1/1 addresses added.

To permanently add a machine to the whitelist, use -w with the IP:

/Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -w 192.168.210.88

And to remove a machine, use -x. To understand what is going on under the hood, consider this. The blacklisted computers are stored in plain text in /var/db/af/blacklist and the whitelisted computers are stored in the same path in a file called whitelist. The afctl binary itself is stored in /usr/libexec/afctl and can also be enabled with the /System/LIbrary/LaunchDaemons/com.apple.afctl.plist, meaning to force-stop the service outright, use launchctl:

launchctl unload /Applications/Server.app/Contents/ServerRoot/usr/libexec/com.apple.afctl.plist

The configuration file for afctl is at /etc/af.plist. Here you can change the path to the blacklist and whitelist files, change the interval with which it is run, etc. Overall, the adaptive firewall is a nice little tool for macOS Server security, but also something a number of open source tools can do as well. But for something built-in and easy, worth using. There’s a nice little command called hb_summary located in /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS that provides statistics for blocked hosts. To see statistics about how much the Adaptive Firewall is being used, just run the command with no options:

/Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/AdaptiveFirewall.bundle/Contents/MacOS/hb_summary

The output provides the following information (helpful if plugging this information into a tool like Splunk):
  • Date
  • Date statistics start
  • Number of hosts blocked
  • Addresses blocked
  • Number of times each address was blocked
  • Last time a host was blocked
  • Total number of times a block was issued
Finally, there are scripts located in /Applications/Server.app/Contents/ServerRoot/usr/libexec that can be used to manage the firewall as well. These include ServerFirewallPromotion.sh (a simple bash script) and ServerFirewallServiceCleanser, a compiled binary.

September 26th, 2017

Posted In: Mac OS X Server, Mac Security

Tags: , , , , , , ,

The statshares option has an -m option to look at a mount path for showing the path to the mount (e.g. if the mount is called krypted this should be something like /Volumes/krypted):

smbutil statshares -m /Volumes/krypted

When run, you see a list of all the attributes OS X tracks for that mount path, including the name of the server, the user ID (octal), how SMB negotiated an authentication, what version of SMB is running (e.g. SMB_1), the type of share and whether signing, extended security, Unix and large files are supported. Additionally, if you’d like to see the attributes for all shares, use the -a option after statshares:

smbutil statshares -a

You’ll then see the SHARE, ATTRIBUTE TYPE, and VALUE for each share mounted. Overall, this is a nice health check type of verb to the smbutil command that can be added to any monitoring or troubleshooting workflow.

September 26th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , ,

The latest version of the Apple Server app is out (macOS Server 5.4), and before you upgrade, there are a few points to review:
  • As always, make a clone of your computer before upgrading.
  • During the upgrade to High Sierra, if the operating system is running on a solid state drive, the drive will automatically upgrade to APFS. You cannot share APFS volumes over AFP, so if you’re running file services, make sure you’re aware of that. You can choose not to upgrade to APFS using the command line to upgrade a server. Even though the file sharing services are not in the Server app, you can still configure ACLs using the Storage tab under the server’s main screen.
  • The FTP Service is gone.
  • Time Machine service is gone, so if you were relying on that, rethink your backup strategy. Some options:
    • A third party backup tool.
    • A share that Time Machine on client systems can backup to.
    • Don’t upgrade.
  • Xcode Server is gone. You can still leverage third party tools to get build automations in place, but this is no longer a built-in component of macOS Server. 
  • Imaging is dead. But NetInstall still works. Because you need to run a firmware update for High Sierra (and APFS), there are caveats to imaging. You can run a NetInstall to install High Sierra onto clients (which does the firmware update). You can do a NetRestore (and Define NetRestore Sources for NetBoot) from a volume that’s already been converted to APFS to another volume that’s already been converted to APFS. But you can’t NetRestore an HFS+ volume onto an APFS volume or High Sierra on APFS onto a volume running HFS+. Long live DEP.
  • If you’re running Calendar, Contacts, and/or Mail, then you should consider moving to Google Apps or Office 365.
  • Running the Wiki service configures passwords to use a less secure way of storing passwords.
  • Alerts, Certificates, Logs, Stats, creating users, Calendar, Contacts, Mail, Messages, VPN, Websites, Wiki, DHCP, DNS, and Xsan haven’t changed in forevers, and remain pretty static in this version.
  • Open Directory and Software Update aren’t in the Services or Advanced area of the Server sidebar. You’ll access those through the View menu. The slapconfig and other binaries that comprise OD remain pretty much untouched where they are.
  • If you’re running software like anti-virus that has Kernel Extensions, those should work upon upgrade (provided they’re High Sierra compatible). If you reinstall software with Kernel Extensions, you may have to accept the installation of the Kernel Extension, due to a new and more secure way of interacting with Kernel Extensions.
  • There are new options in Profile Manager. 
Provided that you’re ok with all this, we can proceed with the upgrade!

September 26th, 2017

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , , , ,

Apple has a number of different logging APIs. For the past few releases, Apple has tried to capture everything possible in logs, creating what many administrators and developers might consider to be a lot of chatter. As such, an entirely new interface needed to be developed to categorize and filter messages sent into system logs.

Writing Logs

The logger command is still used to create entries in system logs. However, if you are then using tail to view /var/log/system.log then you will notice that you no longer see your entry being written. This is because as the logs being created in macOS have gotten more complex, the tools to read and write those logs has gotten more complicated as well. Let’s take a simple log entry. Below, we’ll write the string “Hello Logs” into the system log. To do so, use the –i option to put the process id of the logger process and –s to write to the system log, as well as to stderr. To make the entry easier we’ll tag it with –t followed by the string of the tag. And finally, we’ll quote the entry we want written into the log. This is basically the simplest form of an entry: logger -is -t krypted "Hello Logs" Once written, use the log command to read your spiffy new entries. This isn’t terribly different than how things worked previously. If you’re a developer, you will need to note that all of the legacy APIs you might be using, which include asl_log_message, NSLog, and syslog, have been redirected to the new Unified Logging system, provided you build software for 10.12 (you can still build as before for 10.11, iOS 9, tvOS 10, and watchOS 3 and below). These are replaced with the os_log, os_log_info, os_log_debug, os_log_error, os_log_fault, and os_log_create APIs (which correspond to various levels of logs that are written).

Reading Logs

Logs are now stored in the tracev3 formatted files in /var/db/diagnostics, which is a compressed binary format. As with all binary files, you’ll need new tools to read the files. Console has been updated with a new hierarchical capability and the ability to watch activities, subsystems, etc. The log command provides another means of reading those spiffy new logs. To get started, first check out the man page: man log That “Hello Logs” string we used earlier is part of a message that you can easily view using the ‘log show’ command. In the below example, we’ll just run a scan of the last 3 minutes, using the –last option, and then providing a –predicate. We’ll explain those a bit later, but think of it as query parameters – here, we’ll specify to look for “Hello Logs” in eventMessage: log show --predicate 'eventMessage contains "Hello Logs"' --last 3m Filtering the log data using “eventMessage CONTAINS “Hello Logs”” shows us that our entry appears as follows:
Timestamp                       Thread     Type        Activity             PID 2017-03-23 23:51:05.236542-0500 0x4b83bb   Default     0x0                  88294  logger: Hello Logs ——————————————————————————————————————– Log      – Default:          1, Info:                0, Debug:             0, Error:          0, Fault:          0 Activity – Create:           0, Transition:          0, Actions:           0
How do you find out what to use where? Here’s an example where I’m going to try to find all invalid login attempts. First, I’m just going to watch the logs. Many will prefer the “log stream’ command. I’m actually going to just use show again, because I like the way it looks more. I’m also going to use log with the syslog –style so it’s easier to read (for me at least), and then here I’m just looking at everything by specifying a space instead of an actual search term: log show --style syslog --predicate 'eventMessage contains " "' --info --last 24h Looking at the output, you can see an entry similar to the following:
2017-03-23 14:01:43.953929-0500  localhost authorizationhost[82865]: Failed to authenticate user <admin> (error: 9).
Oh, I’ve got to just search for Failed to authenticate user” and I’ll be able to count invalid login attempts. To then take this and place it into a command that, for example, I could build an extension attribute using, I can then just find each entry in eventMessage that contains the string, as follows: log show --style syslog --predicate 'eventMessage contains "Failed to authenticate user"' --info --last 1d As with many tools, once you have a couple of basic incantations, they become infinitely simpler to understand. These few commands basically get you back to where you were with tailing logs. If you want to get that –f functionality from tail, to watch the logs live, just swap show with stream. The most basic incantation of this would just be ‘log stream’ without bothering to constrain the output: log stream Running this is going to spew so much data into your terminal session. So to narrow down what you’re looking for, let’s look at events for Twitter: log stream --predicate 'eventMessage contains "Twitter"' You can also view other logs and archives, by calling a file name: log show system_logs.logarchive

Organization and Classification

The new logging format also comes with Subsystems. If you’re a developer you’ll be able to file your messages into, for example, a com.yourname.whatevers domain space, so you can easily find your log messages. You can also build categories, and of course, as we noted previously, tag. So there are about as many ways to find log entries as you can possibly ask for. Apple has a number of subsystems built into macOS. I put together a list of Apple subsystems into a class that you should be able to throw into your python projects at https://gist.github.com/krypted/495e48a995b2c08d25dc4f67358d1983. You also have different logging levels. These include the basic levels of Default, Info, and Debug. You also have two special levels available: Fault and Error. All of this is to add hierarchical logs (which makes tracing events a much more lovely experience) and protecting privacy of end users (think sandbox for logs). I’d recommend watching the WWDC session where Unified Logging was introduced at https://developer.apple.com/videos/play/wwdc2016/721 if you’re interested in learning more about these types of things, especially if you’ll be building software that makes use of these new logging features. The one thing that’s worth mentioning for the Mac Techs out there, is how you would go about switching between logging levels for each subsystem. This is done with the ‘log config’ command. Here, I’ll use the –mode option to set the level to debug, and then defining the substyem to do so with using the –subsystem option: log config --mode "level:debug" --subsystem com.krypted If you have a particularly dastardly app, the above might just help you troubleshoot a bit. As mentioned earlier, we also have these predicates, which you can think of as metadata in the searching context. These include the following:
  • category: category of a log entry
  • eventMessage: searches the activity or message
  • eventType: type of events that created the entry (e.g. logEvent, traceEvent)
  • messageType – type or level of a log entry
  • processImagePath: name of the process that logged the event
  • senderImagePath: not all entries are created by processes, so this also includes libraries and executables
  • subsystem: The name of the subsystem that logged an event

Comparisons and Searches

OK, now let’s make things just a tad bit more complicated. We’ll do this by stringing together search parameters. Here, we have a number of operators available to us, similar to what you see in SQL. These include:
  • && or AND to indicate two matches
  • || or OR indicates one of the patterns matches
  • ! or NOT searches for items that the patterns don’t match for, which is useful for filtering out false positives in scripts
  • = to indicate that one search matches a pattern or is equal to
  • != to indicate that the search is not equal to
  • > is greater than
  • < is less than
  • => means greater than or equal to
  • =< means less than or equal to
  • CONTAINS indicates a string matches a given pattern with case sensitivity
  • CONTAINS[c] indicates a string matches a given pattern without case sensitivity
  • BEGINSWITH indicates a string begins with a given pattern
  • ENDSWITH indicates that a string ends with a given pattern
  • LIKE indicates a pattern is similar to what you’re searching for
  • MATCHES indicates that two text strings match
  • ANY, SOME, NONE, IN are used for pattern matching in arrays
  • NULL indicates a NULL response (for example, you see “with error (NULL)” in logs a lot)
To put these into context, let’s use one in an example. Thus far my most common as been a compound search, so matching both patterns. Here, we’ll look at the WirelessProximity subsystem for Bluetooth and we’ll look at how often it’s scanning for new devices, keeping both patterns to match inside their own parenthesis, with all patterns stored inside single quotes, as follows: log show --style syslog --predicate '(subsystem == "com.apple.bluetooth.WirelessProximity") && (eventMessage CONTAINS[c] "scanning")' --info --last 1h Developers and systems administrators will find that the Apple guide on predicate programming, available at https://developer.apple.com/library/prerelease/content/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html, to be pretty useful if you’re doing lots of this kind of work. Note: sysdiagnose, a tool long used for capture diagnostics information to include in bug reports, is still functional, and now includes Unified Logging information, so Apple developers can get a complete picture of what’s going on in systems.

Conclusion

Ultimately, the new Unified Logging is a bit more complicated than the previous options for both creating and reading logs. But once you get used to it, you’ll log it – I mean, love it. I find that I use less grep and awk and get more concise results. I also like the fact that the same code is useable with all four platforms, so learn once and re-use across devices. There’s a lot of information out there, but I had to go hunting around. Hopefully having a number of links and a the structure used in this article makes it easier to learn how to use all these new new little toys! Good luck!

July 26th, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , ,

Some apps have defaults domains that don’t work the same as other apps and you need to use the -app option in defaults. This option is available for most apps, and sometimes I’ll use it to specifically crawl around for a specific setting I’m looking for. But for other apps, you need to interact with them there. So let’s look at Eclipse. Here, we can do a read with -app followed by the path: defaults read -app /Applications/eclipse/Eclipse.app/ The output would be as follows:
{ NSNavLastRootDirectory = “~/smb/smb”; NSNavPanelExpandedSizeForOpenMode = “{712, 426}”; NSScrollAnimationEnabled = 0; WebKitJavaEnabled = 0; }
Now, let’s say you had a specific setting, like fixing an anti-aliasing issue: defaults write -app /Applications/eclipse/Eclipse.app AppleAntiAliasingThreshold 19 #thanksaloteclipseupdaters

June 4th, 2017

Posted In: Java, Mac OS X, Mac OS X Server, Mac Security

Tags: ,

June 2nd, 2017

Posted In: Mac OS X, Mac OS X Server, Mac Security, MacAdmins Podcast

Tags: , , , , ,

Next Page »