krypted.com

Tiny Deathstars of Foulness

The tools to automate OS X firewall events from the command line are still stored in /usr/libexec/ApplicationFirewall. And you will still use socketfilterfw there for much of the heavy lifting. However, now there are much more helpful and functional options in socketfilterfw that will allow you to more easily script the firewall.

Some tricks I’ve picked up with the Mac Firewall/alf scripting:

  • Configure the firewall fully before turning it on (especially if you’re doing so through something like Casper, FileWave, Munki, or Absolute Manage where you might kick yourself out of your session otherwise).
  • Whatever you do, you can always reset things back to defaults by removing the com.apple.alf.plist file from /Library/Preferences replacing it with the default plist from /usr/libexec/ApplicationFirewall/com.apple.alf.plist.
  • Configure global settings, then per-application settings, then enable the firewall. If a remote system, do ;wait; and then enable the first time to make sure everything works before enabling the firewall for good.
  • To debug, use the following command: “/usr/libexec/ApplicationFirewall/socketfilterfw -d”

In /usr/libexec/ApplicationFirewall is the Firewall command, the binary of the actual application layer firewall and socketfilterfw, which configures the firewall. To configure the firewall to block all incoming traffic:

/usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on

To see if block all is enabled:

/usr/libexec/ApplicationFirewall/socketfilterfw --getblockall

The output would be as follows, if successful:

Firewall is set to block all non-essential incoming connections

A couple of global options that can be set. Stealth Mode:

/usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

To check if stealth mode is enabled:

/usr/libexec/ApplicationFirewall/socketfilterfw --getstealthmode

Firewall logging:

/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

You can also control the verbosity of logs, using throttled, brief or detail. For example, if you need to troubleshoot some issues, you might set the logging to detail using the following command:

/usr/libexec/ApplicationFirewall/socketfilterfw --setloggingopt: detail

To start the firewall:

/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

While it would be nice to think that that was going to be everything for everyone, it just so happens that some environments actually need to allow traffic. Therefore, traffic can be allowed per signed binary. To allow signed applications:

/usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned on

To check if you allow signed apps:

/usr/libexec/ApplicationFirewall/socketfilterfw --getallowsigned

This will allow all TRUSTEDAPPS. The –listapps option shows the status of each filtered application:

/usr/libexec/ApplicationFirewall/socketfilterfw --listapps

To check if an app is blocked:

/usr/libexec/ApplicationFirewall/socketfilterfw –getappblocked /Applications/MyApp.app/Contents/MacOS/myapp

This shows the number of exceptions, explicitly allowed apps and signed exceptions as well as process names and allowed app statuses. There is also a list of TRUSTEDAPPS, which will initially be populated by Apple tools with sharing capabilities (e.g. httpd & smbd). If you are enabling the firewall using a script, first sign your applications that need to allow sharing but are not in the TRUSTEDAPPS section by using the -s option along with the application binary (not the .app bundle):

/usr/libexec/ApplicationFirewall/socketfilterfw -s /Applications/MyApp.app/Contents/MacOS/myapp

Once signed, verify the signature:

/usr/libexec/ApplicationFirewall/socketfilterfw -v /Applications/MyApp.app/Contents/MacOS/myapp

Once signed, trust the application using the –add option:

/usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/MyApp.app/Contents/MacOS/myapp

To see a list of trusted applications. You can do so by using the -l option as follows (the output is pretty ugly and needs to be parsed better):

/usr/libexec/ApplicationFirewall/socketfilterfw -l

If, in the course of your testing, you determine the firewall just isn’t for you, disable it:

/usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off

To sanity check whether it’s started:

/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

Or to manually stop it using launchctl (should start again with a reboot):

launchctl unload /System/Library/LaunchAgents/com.apple.alf.useragent.plist
launchctl unload /System/Library/LaunchDaemons/com.apple.alf.agent.plist

If you disable the firewalll using launchctl, you may need to restart services for them to work again.

July 16th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

You can customize the number of times that you enter an incorrect password before you get the password hint in the loginwindow on OS X. To do so, use the defaults command to send a RetriesUntilHint integer key into com.apple.loginwindow.plist stored at /Library/Preferences using the following command:

defaults write /Library/Preferences/com.apple.loginwindow RetriesUntilHint -integer 10

March 25th, 2014

Posted In: Mac OS X, Mass Deployment

Tags: , , , , ,

Here’s the thing: I’m not very good with computers. So to keep me from hurting myself too badly, I need the simplest interface available that allows me to run multiple applications. But most of the command keys shouldn’t work in this interface and I should only have Finder, file and Help menus.

Luckily for my poor MacBook Airs, Apple thought of people like me when they wrote the Finder and invented something called Simple Finder which makes OS X even simpler than it is by default to use. To enable Simple Finder, just go to Parental controls, enable controls for a user and then check the box for Simple Finder. Or, if you have an entire population of users like me, who simply can’t be trusted with a full operating environment, you can send the InterfaceLevel key with the contents of simple (easy to remember for those of us who resemble said key) to com.apple.finder and restart our friendly neighborhood Finder:

defaults write com.apple.finder InterfaceLevel simple; killall Finder

Come to think of it, maybe I’m not so awful. Let’s say I want to turn that whole Simple Finder thing right back off. Well, all we have to do is delete that key we created and then restart the Finder:

defaults delete com.apple.finder InterfaceLevel; killall Finder

Actually, I am terrible with these things. So much so that it’s not appropriate for me to use a computer. Therefore, just take it away. I’ll be better off using that Samsung with Windows 8 for awhile. At least there, I won’t be able to get any of my apps open or find any of the administrative tools that could damage the computer!

May 17th, 2013

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , ,

For many environments, securing OS X is basically trying to make the computer act more like an iOS device. Some of the easier tasks involve disabling access to certain apps, sandboxing and controlling access to certain features. One of the steps en route to building an iOS-esque environment in OS X is to disable that Go to Folder… option. To do so, set the ProhibitGoToFolder key as true in com.apple.finder:

defaults write com.apple.finder ProhibitGoToFolder -bool true

Then reboot, or kill the Finder:

killall Finder

To undo, set the ProhibitGoToFolder as false:

defaults write com.apple.finder ProhibitGoToFolder -bool false

November 11th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , ,

There are a few ways I like to extend my battery life on my MacBook Air. These days, it’s increasingly important to conserve battery life as the transition to Mountain Lion (Mac OS X 10.8) has caused my battery life to spiral into so much of a vortex that I am concerned that my laptop must be shooting raw electricity out of the bottom (which would certainly explain why my hair has a tendency to be perpendicular with the ground when I exit a plane). Ever since moving to Mountain Lion (yes, this includes 10.8.2), I’m lucky to get 3 hours of battery life out of the Mac that used to give me at least 5 hours…

There are a number of tricks that I use to extend battery life. Some are obvious, such as dimming the screen, only using an app at a time, killing off menu items, temporarily stop Spotlight Indexing and killing off LaunchDaemons and LaunchAgents that I’m not using. I even used to used an app called CoolBookController to throttle my processor speeds while flying. But that doesn’t work as of Lion (certainly not in Mountain Lion).

One thing that I’ve been able to do that extends my battery life a little more (maybe an extra half hour) is to kill off Notification Center (I wrote about customizing Notification Center earlier here). I know, I know, it shouldn’t matter… But recently, a customer asked me to script disabling Notification Center. Since I’ve been killing it off with a script, this was a pretty straight forward task. It’s easy to disable Notification Center temporarily using the GUI. Simply click on the Notification Center icon in the menu bar and then scroll up to see the “Show Alerts and Banners” button. Click OFF or ON to toggle it off and on. As you can see, Notification Center then starts back up the next day.

To disable Notification Center from the command line, write a KeepAlive key that is false into the /System/Library/LaunchAgents/com.apple.notificationcenterui.plist like so:

sudo defaults write /System/Library/LaunchAgents/com.apple.notificationcenterui KeepAlive -bool false

Then, if you kill NotificationCenter off, it’ll stay off:

killall NotificationCenter

If you want to re-enable Notification Center, you’d just run the same with a true:

sudo defaults write /System/Library/LaunchAgents/com.apple.notificationcenterui KeepAlive -bool true

The easy way to then get it back is to reboot. Now, just for giggles, Notification Center is actually the /System/Library/CoreServices/NotificationCenter.app and in there lies the /System/Library/CoreServices/NotificationCenter.app/Contents/MacOS/NotificationCenter binary. If you open it, you’ll get multiple Notification Center icons in the menu bar. I’m not sure why I decided to try that at some point. But it’s kinda’ fun…

Ultimately, I travel with multiple MacBooks, so rather than toss one of them in a checked bag, or one destined for the overhead, I am temporarily just keeping a second 11 in the bag I keep under the seat in front of me for now…

October 22nd, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

When I’m writing, I like to listen to music in the background. When writing, I also like to have everything minimized so I can quickly grab a screenshot of the desktop where needed. This means that when I run into a track that doesn’t work with whatever I’m writing that I would need to unminimize iTunes, click the next button and then re-minimize iTunes. Awhile back I found a better way but can’t remember where for attribution. So, part of my default user template and imaging framework now includes setting the iTunes Dock icon to show the track that I’m playing so I can easily go to the next song, filing away the current song to remove from whatever playlist at a later date in case I’ve forgotten who the artist was. By default the iTunes Dock icon doesn’t show the current playing track. To tell it to:

defaults write com.apple.dock itunes-notifications -bool TRUE

Then killall Dock:

killall Dock

Now when you click on iTunes in the dock and hold the mouse down, you’ll see the following:

If you later decide you don’t like this:

defaults write com.apple.dock itunes-notifications -bool FALSE

And then killall Dock:

killall Dock

July 29th, 2012

Posted In: Mac OS X

Tags: , , , , , , , ,

The process has changed a little bit in Mountain Lion for disabling shadows on screen shots, sometimes… By default, there’s no com.apple.screencapture manifest, so the first step is to create it with the boolean disable-shadow key set to true. This part is the same as with Lion:

defaults write com.apple.screencapture disable-shadow -bool TRUE

Now check that disable-shadow shows as a 1:

defaults read com.apple.screencapture

But where it’s a little different is that you previously killed SystemUIServer w/out sudo:

killall SystemUIServer

SystemUIServer would then open back up and screenshots wouldn’t have shadows. And this still works sometimes. But now, I’ve noticed across the 30 or so systems in my lab that while you don’t get an error, the process doesn’t actually change the screen shots from time to time. Sometimes, you need to put sudo in front of the killall now:

sudo killall SystemUIServer

Now everything should work as intended.

July 25th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

One of my little irritations about OS X just got easier. When I’m using Mail and I copy and email address and paste it somewhere, it has the name of the contact bracing the email address wrapped with a <>. This is a royal pain. I am pretty sure that every single flippin’ time I’ve removed the cruft around the email address. While digging around in com.apple.mail I noticed a key for AddressesIncludeNameOnPasteboard that was set to True. Holy crap. Change to False and this minor irritation is gone. Viola, OS X is now even better:

defaults write com.apple.mail AddressesIncludeNameOnPasteboard -bool FALSE

To set it back:

defaults write com.apple.mail AddressesIncludeNameOnPasteboard -bool TRUE

I’m sure others have uncovered this before me (mostly because I googled it after I found it). So nothing really new here, but pretty sure that one will save me at least 3 minutes per year. Yay for me.

July 19th, 2012

Posted In: Mac OS X

Tags: , , , , ,

10.7 and up have a little feature called elastic scrolling. When you get to the top of a page and you keep scrolling you see the linen background. There is a NAS devices whose web portals seems to be pretty shady overall, but specifically seems to lock up when this rubber band effect kicks in. So to disable:

defaults write -g NSScrollViewRubberbanding -bool FALSE

To disable the disable, or re-enable the effect:

defaults write -g NSScrollViewRubberbanding -bool TRUE

June 24th, 2012

Posted In: Mac OS X

Tags: , , , , ,

There are a number of features that make mass deployment of Mac OS X pretty easy. Some of these would be great to have in Windows. These range from systemconfiguration to networksetup and the ability to look at packages that have been installed and review their bills of material. Well, the good people at Vexasoft have built a number of Powershell libraries that, while they aren’t named as such, do a number of the features that these commands do, just for Windows clients via Powershell. And the best part is, a number of them are free.

Let’s look at what some of these commands do:

  • First, there are the cmdlets used to manage the network stack (so similar to various verbs in networksetup). These include Add-NetworkAdapterDNS, Add-NetworkAdapterGateway, Add-NetworkAdapterIP, Disable-NetworkAdapter, Enable-NetworkAdapter, Get-NetworkAdapter, Remove-NetworkAdapterIP, Remove-NetworkAdapterGateway, Remove-NetworkAdapterDNS, Set-(followed by the others from the above sets) and Rename-NetworkAdapter.
  • Second, you can automate binding with Set-Domain. This is similar to dsconfigad but less awesome because it’s third party, but still more awesome than the native tools because it’s easier.
  • Third, rename the system. This is similar to scutil, hostname, sets. Just use Rename-Computer to change the name of a Windows system.
  • My favorite, having written something similar, is probably Get-RemoteDesktopConfig and Set-RemoteDesktopConfig, similar to the kickstart options in OS X.
  • And a tool similar to installer in OS X, Install-MSIProduct, which installs MSIs.
  • Sixth, there’s Set-Pagefile, because if you’re gonna’ change it, do so while imaging to save a reboot later…
  • While there are others, the final one I’d like to mention is still free: Get-RegistryKey, which gives us the ability to basically run the closest thing to defaults commands I’ve found against the Windows platform.

They install as standard Powershell modules, making them easy to drop into practically any imaging environment. Much of these can be done via WMI or Powershell already, but will require a bit more legwork to script. Having them pre-built makes it easier than ever to perform some basic tasks for other platforms en masse, on Windows.

June 14th, 2012

Posted In: Mass Deployment, Windows Server, Windows XP

Tags: , , , , , , , , , , , ,

Next Page »