• Mac Security

    Find Running Binaries Masquerading as Files

    Binaries should not be called salesreports.doc or timesheet.pdf. If a file with a document extension is executing then it’s most likely bad. Like rulllll bad. So on a Mac, you can check what’s running in that context by piping ps output to grep and using the \| as an OR statement to check for files that match a few known document types, as follows: ps aux | grep ‘.doc\|.pdf\|.png\|.docx\|.mpkg\|.pkg\|.xls\|.ods\|.xlsx\|.odt\|.key\|.htm\|.txt\|.csv\|.xml\|.json\|.pdf\|.ogg\|.rtf\|.dmp\|.aac\|.mp3\|.psg\|.mp4\|.m4a\|.gz\|.png\|.html\|.jpg\|.rss\|.jpeg\|.vb\|.wav\|.svg\|.bmp\|.pps\|.ppt\|.php\|.pptx\|.tiff\|.tif\|.gzip\|.wmv\|.zip\|.rar\|.bin\|.iso\|.sql\|.ico’

  • Mac OS X,  Mac Security,  Mass Deployment,  Network Infrastructure,  precache

    One-liner To Grab Which macOS Caching Server You’re Using

    There’s a macOS tool called AssetCacheLocatorUtil located at /usr/bin/AssetCacheLocatorUtil. The output is in… stderr. Because stderr is so fun to work with (note that sed -i only works with stdin). So, to update the caching server(s) you are using and only print the IP address of those, you’d do the following: /usr/bin/AssetCacheLocatorUtil 2>&1 | grep guid | awk '{print$4}' | sed 's/^\(.*\):.*$/\1/' | uniq If you use Jamf Pro and would like to use this as an extension attribute, that’s posted here: https://github.com/krypted/cachecheck. I didn’t do any of the if/then there, as I’d usually just do that on the JSS.

  • Mac OS X,  Mac OS X Server

    Scripted Country Geolocations Using OS X’s Built-In ip2cc

    Recently I was working on a project where we were isolating IP addresses by country. In the process, I found an easy little tool built right into OS X called ip2cc. Using ip2cc, you can lookup what country an IP is in. To do so, simply run ip2cc followed by a name or ip address. For example, to lookup apple.com you might run: ip2cc apple.com Or to lookup Much Music, you might run: ip2cc muchmusic.ca The output would be: IP::Country modules (v2.28) Copyright (c) 2002-13 Nigel Wetters Gourlay Database updated Wed May 15 15:29:48 2013 Name: muchmusic.com Address: 199.85.71.88 Country: CA (Canada) You can just get the country line: ip2cc…

  • Active Directory,  Microsoft Exchange Server,  Windows Server

    Grep, Search, Loops and Basename for Powershell Hotness

    Simple request: Search for all files in a directory and the child directories for a specific pattern and then return the filename without the path to the file. There are a few commandlets we end up needing to use: Get-ChildItem: Creates a recursive array of filenames and pipes that output into the For loop. ForEach-Object: Starts a for loop, looping through the output of the command that has been piped into the loop (much easier than an IFS array IMHO). If: This starts the if pattern that ends after the select-string in the below command, but only dumps the $_.PSPath if the pattern is true. Select-String: Searches for the content…

  • Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

    Troubleshooting Mac OS X Kernels w/ dmesg

    The first thing that loads in OS X is the kernel. The kernel is how users interface with hardware and sets the stage for interaction by probing for each driver that needs to be loaded and tracking what is found. The presence of everything about the system is tracked when the kernel loads as well as pertinent boot parameters. Even if you’re booting in verbose mode, most of this probably happens too fast to notice. You might be able to pause it, but you’re still trying to react to things too quickly in many cases. That’s where the dmesg command comes into play, which lets you review and control the…

  • Mac OS X,  Mac OS X Server,  Mass Deployment

    One More Character In Serials

    Yesterday I showed a way to get the serial number from a Mac OS X machine. However, as a couple of people pointed out, Apple will soon be adding another character to the serial number. This means that rather than use cut I should have used awk to allow for either serial number length. To grab the serial this way: ioreg -l | grep IOPlatformSerialNumber | awk ‘{print $4}’ Or without the quotes: ioreg -l | grep IOPlatformSerialNumber | awk ‘{print $4}’ | sed ‘s/”//g’

  • Xsan

    Don't Defrag the Whole SAN

    I see a numer of environments that are running routine defragmentation scripts on Xsan volumes. I do not agree with this practice, but given certain edge cases I have watched it happen. When defragmenting a volume, there is no reason to do so to the entire volume. Especially if much of the content is static and not changing very often. And if specific files doesn’t have a lot of extents then they are easily skipped. Let’s look at a couple of quick ways to narrow down your defrag using snfsdefrag. The first is by specifying the path. In this case you would specify a -r option and follow that with…

  • Xsan

    Isolating iNodes in Xsan cvfsck Output

    I’ve noticed a couple of occasions where data corruption in Xsan causes a perceived data loss on a volume. This does not always mean that you have to restore from backup. Given the cvfsck output, you can isolate the iNodes using the following: cat cvfsck.txt | grep *Error* | cut -c 27-36 > iNodeList.txt Once isolated you can then use the cvfsdb tool to correlate this to file names. For example, if you have an iNode of 0x20643c8 then you can convert this into a file name using the following: cvfsdb> show inode 0x20643c8 The output will be similar to the following: 000: 0100 8000 3f04 0327 5250 2daa 0000…

  • Mac OS X,  Ubuntu,  Unix,  Xsan

    Uniq Logs

    Recently I’ve been looking at a lot of log files. And sorting through them can be a bit of a pain. However, there are some tools out there to help make this process a bit easier. The first of these is sort. If I have a log that has 1,000 lines, while I like to initially see any lines that are repeated numerous times so that I can see when servers are throwing a lot of errors, combing through them can get tedious. Sort will help to reduce the volume and organize them in a manner that makes sense. For example, to sort the logs and remove duplicate line entries…

  • Mac OS X,  Mass Deployment

    What Is My Build Number?

    I have been known to occasionally ask what build number of Mac OS X that someone is using. The sw_vers command can be used to obtain this. Simply run: sw_vers And the BuildVersion will be listed. Or just to get the BuildVersion: sw_vers | grep BuildVersion Or to just get the number (useful in scripts that catalog such a thing: sw_vers | grep BuildVersion | cut -c 15-21 As one comment just indicated, you could also just use `sw_vers -buildVersion`. I guess I should review these commands every operating system or 4… Thanks Allen.