macOS allows you to launch an app but in a hidden state. To do so, use the open command to open the app and then use the -a flag to specify the path of the app and –hide after the path to the app, as follows:
20180407065616.20180407065646 20180407073836.20180407073931 current
The files are binary and so cannot be read properly without the use of a tool to interpret the output. In the next section we will review how to read the logs.
Binary files aren’t easy to read. Using the praudit binary, you can dump audit logs into XML using the -x flag followed by the path of the log. For example, the following command would read a given log in the above /var/audit example directory:
In the above output, you’ll find the time that an event was logged, as well as the type of event. This could be parsed for specific events, and, as an example, just dump the time and event in a simple json or xml for tracking in another tool. For example, if you’re doing statistical analysis for how many times privileges were escalated as a means of detecting a bad actor on a system.
You can also use the auditreduce command to filter records. Once filtered, results are still in binary and must be converted using praudit.
Migrating file services from a macOS Server to a macOS Client can be a bit traumatic at first. Mostly because the thought itself can be a bit daunting. But once you get started, it’s pretty simple. Mostly because there’s less to do. And that can be a challenge. While there are ways to hack together solutions for network homes and other more advanced features, if you’re doing that, then you’re missing a key point here.
Let’s start by documenting our existing share points. We’ll do this with the serveradmin command and using the settings verb for the sharing service as follows:
sudo serveradmin settings sharing
Each share is an item in the sharePointList array, with the following:
Once you’ve removed the Server app, you’ll be left with using the sharing command. Using that command, you can list shares using the -l option:
That same share then appears as follows:
List of Share Points
name: Charles Edge’s Public Folder
name: Charles Edge’s Public Folder
guest access: 1
inherit perms: 0
name: Charles Edge’s Public Folder
guest access: 1
Or from the Sharing System Preference Pane. Now you just have to loop through and create each share (although they should co-exist between tools). To create a share, click on the plus sign under Shared Folders. You can then browse to the folder you’d like to share. Next, we’ll give access to the directory. Use the plus sign on the right side of the screen and then select the user or group you’d like to add to the list that has access to the directory (while the directory is highlighted in the list on the left). Once the user is in the list, use the permissions on the right side of the user list to select what level each user or group gets. You have additional controls for file and folder security that can be set at either the directory that is shared or those below it hierarchically. To do so, highlight the directory and use the Get Info option under the File menu in the Finder. Note: You can also check the Shared Folder box on these folders to share them, meaning you have one less step once you get used to the workflow!
Carbonite is a great tool for backing up Macs and Windows devices. To install Carbonite, download it from www.carbonite.com. Once downloaded, copy the app to the /Applications directory and open the app. The Carbonite app will then install the components required to support the backup operations and index the drive. Next, you’ll see some basic folders that will be backed up. Check the box for those you want to add to the backup (or do this later) and click the Install button. Click Open Carbonite. Notice that the backup has begun! The only really customer-installable action is to select the directories to be backed up, which is done using the left-hand sidebar. And that’s it. There aren’t a lot of other options in the GUI. You can access more options at /Library/Preferences/com.carbonite.carbonite.plist.
The DNS service in macOS Server was simple to setup and manage. It’s a bit more manual in macOS without macOS Server. The underlying service that provides DNS is Bind. Bind will require a compiler to install, so first make sure you have the Xcode command line tools installed. To download Bind, go to ISC at https://www.isc.org/downloads/. From there, copy the installer locally and extract the tar file. Once that’s extracted, run the configure from within the extracted directory:
Now download a LaunchDaemon plist (I just stole this from the org.isc.named.plist on a macOS Server, which can be found at /Applications/Server.app/Contents/ServerRoot/System/Library/LaunchDaemons/org.isc.named.plist or downloaded using that link). The permissions for a custom LaunchDaemon need to be set appropriately:
Synology is able to do everything a macOS Server could do, and more. So if you need to move your VPN service, it’s worth looking at a number of different solutions. The most important question to ask is whether you actually need a VPN any more. If you have git, mail/groupware, or file services that require remote access then you might want to consider moving these into a hosted environment somewhere. But if you need access to the LAN and you’re a small business without other servers, a Synology can be a great place to host your VPN services.
Before you setup anything new, first snapshot your old settings. Let’s grab which protocols are enabled, running the following from Terminal:
Once we have all of this information, we can configure the new server using the same settings. To install the VPN service on a Synology, first open the Synology and click on Package Center. From there, click on All and search for VPN. Then click on the Install button for VPN. Once installed, open VPN Server from the application launcher in the upper left-hand corner of the screen. Initially, you’ll see a list of the services that can be run, which include the familiar PPTP and L2TP, along with the addition of Open VPN. Before we potentially open up dangerous services to users we might not want to have access to, click on Privilege. Here, enable each service for each user that you want to have access to the VPN services. Now that we can safely enable and disable each of the services, click on PPTP in the sidebar of the VPN Server app (if you want to provide PPTP-based services to clients). Here, check the box for “Enable PPTP VPN server” and enter the following information:
Dynamic IP address: The first DHCP address that will be given to client computers
Maximum connection number: How many addresses that can be handed out (and therefore the maximum number of clients that can connect via PPTP).
Maximum number of connections with the same account: How many sessions a given account can have (1 is usually a good number here).
Authentication: Best to leave this at MS-CHAP v2 for compatibility, unless you find otherwise.
Encryption: Leave as MPPE optional unless all clients can do MPPE and then you can enforce it for a stronger level of encryption.
MTU: 1400 is a good number.
Use manual DNS: If clients will connect to services via names once connected to the VPN, I’d put your primary DNS server in this field.
Click Apply and open port 1723 so clients can connect to the service. If you’ll be using L2TP over IPSec, click on “L2TP/IPSec” in the sidebar. The settings are the same as those above, but you can also add a preshared key to the mix. Go ahead and check the enable checkbox, provide the necessary settings from the PPTP list, and provide that key and then click on Apply. Note that the DHCP pools are different between the two services. Point UDP ports 1701, 500, and 4500 at the new server to allow for remote connections and then test that clients can connect.
That’s it. You’ve managed to get a new VPN setup and configured. Provided you used the same IP address, same client secret, and the ports are the same, you’ll then be able to probably use the same profile to install clients that you were using previously.
People who have managed Open Directory and will be moving to Synology will note that directory services really aren’t nearly as complicated was we’ve made them out to be for years. This is because Apple was protecting us from doing silly things to break our implementations. It was also because Apple bundled a number of seemingly disparate technologies into ldap. It’s worth mentioning that LDAP on a Synology is LDAP. We’re not federating services, we’re not kerberizing services, we’re not augmenting schemas, etc. We can leverage the directory service to provide attributes though, and have that central phone book of user and group memberships we’ve come to depend on directory services to provide.
To get started, open the Package Center and search for Directory. Click Install for the Directory Server and the package will be installed on the Synology. When the setup is complete, open the Directory Server from the launcher available in the upper right hand corner of the screen. The LDAP server isn’t yet running as you need to configure a few settings before starting. At the Settings screen, you can enable the LDAP service by checking the box to “Enable LDAP Service” and providing the hostname (FQDN) of the service along with a password.
Once the service is configured, you’ll have a base DN and a bind DN. These are generated based on the name provided in that FQDN field. For example, if the FQDN is “synology.krypted.com”, its Base DN will be “dc=synology,dc=krypted,dc=com”. And the Bind DN would add a lookup starting a root, then moving into the users container and then the hostname: uid=root,cn=users,dc=synology,dc=krypted,dc=com If this is for internal use, then it’s all setup. If you’ll be binding external services to this LDAP instance, make sure to open ports 389 (for LDAP) and/or 636 (for LDAP over SSL) as well.
Once you have information in the service, you’ll want to back it up. Click on Backup and Restore. Then click on Configure. At the Configure screen, choose a destination. I prefer using a directory I can then backup with another tool. Once you have defined a place to store your backups using the Destination field, choose a maximum number of backups and configure a schedule for the backups to run (by default backups run at midnight). Then click OK. You now have a functional LDAP service. To create Groups, click on the Group in the left sidebar.
Here, you can easily create groups by clicking on the Create button. At the wizard, provide a group name and then enter the name of a group (accounting in this example). Click Next, then Apply to finish creating the group. One you have created your groups, click on User to start entering your users. Click Create. At the User Information screen, enter the name, a description if needed, and the password for a user. You can also restrict password changes and set an expiration for accounts. Click Next to create the user. At the next screen, choose what groups the new user will be in and click Next. Enter any extended attributes at the next screen, if you so choose (useful for directories).
Click Next and then Apply. For smaller workgroups, you now have a functional LDAP service! If you’d like a nice gui to access more options, look at FUM (
Services that run on a Synology are constantly being updated. Software updates for the binaries and other artifacts can quickly and easily be updated. To do so, open the Synology web interface and then open Package Center. From Package Center, click Update for each or Update All to upgrade all services at once, as seen below. You will then be prompted to verify that you want to run the update. Any services that are being updated will restart and so end users might find those services unresponsive or have to log back in after the service comes back online.
The first step to moving services from macOS Server for pretty much all services is to check out the old settings. The second step is to probably ask if where you’re going to put the service is a good idea. For example, these days I prefer to run DHCP services on a network appliance. But it can absolutely be run on a Mac. And so let’s look at how to do that. Here, we’ll use the serveradmin command to view the settings of the DHCP service:
The easy thing is to configure a DHCP server is using Internet Sharing from the Sharing System Preference pane. To do so, simply open System Preferences, click on Sharing and then Internet Sharing. But wait, where do you configure a scope, or the DNS Server or… The answer is “the command line” but don’t be put off by that. In this case I prefer it. Now, let’s go hacking around in your bootp.plist. This file is stored at /private/etc/bootpd.plist and you’ll need to sudo in order to edit the file. First, back it up. Next, let’s cat the file and cover a few basic examples of migrating the settings:
Let’s start with a simple example of copying the range from one of these to another. First, locate the net_range_startand the net_range_endkeys in your serveradmin output. Then find the net_range array in your bootp.plist. They’re the same in my two examples because the macOS Server app was just hacking the bootp.plist (OK it was doing more but that was the main thing it was doing). On a fresh new server you might have a very different plist, so you can borrow the above if ya’ need to. Replace the two values in the two strings with those in your server if needed.
Next, find the dhcp_routersetting for that subnet and match it to the same in the bootp.plist. Then, the net_mask. These are all that are required for DHCP to work (technically, the router isn’t required, but it’s super-weird on Apple stuff when there’s not a router, so it’s best to have one when possible. If you need WINS, domain names, DNS Servers, etc, simply repeat the process. You can also copy and paste the code block between the <dict> sections if you need multiple subnets. Or you could move the service to a network appliance more capable, if needed.
The settings for bootp include the following, many of which can be seen in the above output:
dhcp_enabled – Used to enable dhcp for each network interface. Replace the <false/> immediately below with <array> <string>en0</string> </array>. For additional entries, duplice the string line and enter each from ifconfig that you’d like to use dhcp on.
bootp_enabled – This can be left as Disabled or set to an array of the adapters that should be enabled if you wish to use the bootp protocol in addition to dhcp. Note that the server can do both bootp and dhcp simultaneously.
allocate – Use the allocate key for each subnet in the Subnets array to enable each subnet once the service is enabled.
Subnets – Use this array to create additional scopes or subnets that you will be serving up DHCP for. To do so, copy the entry in the array and paste it immediately below the existing entry. The entry is a dictionary so copy all of the data between and including the <dict> and </dict> immediately after the <array> entry for the subnet itself.
lease_max and lease_min – Set these integers to the time for a client to retain its dhcp lease
name – If there are multiple subnet entries, this should be unique and reference a friendly name for the subnet itself.
net_address – The first octets of the subnet followed by a 0. For example, assuming a /24 and 172.16.25 as the first three octets the entry would be 172.16.25.0.
net_mask – The subnet mask clients should have
net_range – The first entry should have the first IP in the range and the last should have the last IP in the range. For example, in the following example the addressing is 172.16.25.2 to 172.16.25.253.
dhcp_domain_name_server – There should be a string for each DNS server supplied by dhcp in this array
dhcp_domain_search – Each domain in the domain search field should be suppled in a string within this array, if one is needed. If not, feel free to delete the key and the array if this isn’t needed.
dhcp_router – This entry should contain the router or default gateway used for clients on the subnet, if there is one. If not, you can delete the key and following string entries.
Configure DHCP Reservations
To configure reservations, use the /etc/bootptab file. This file should have a column for the name of a computer, the hardware type (1), the hwaddr (the MAC address) and ipaddr for the desired IP address of each entry:
Once configured, configure the service to start automatically. To do so, open /System/Library/LaunchDaemons/bootps.plist. Here, just change the Disabled key to False, by changing the word True in line 6 to False.
Troubleshooting: Inspect Leases on Clients
I did an article some time ago about how DHCP leases work. Once you have clients using the DHCP server, you can also renew and view their leases from the command line, which does not usually show you a new lease in the GUI immediately. To reset the DHCP lease from the command line, use ipconfig:
ipconfig set en0 BOOTP
ipconfig set en0 DHCP
If the information is displayed on the screen, then it has to be stored somewhere, right? When your system sends an acceptance for a lease, the leases are then stored in /var/db/dhcpclient/leases. These are stored in standard property list form using the interface, followed by the MAC address of the interface followed by .plist. For example, if your MAC address is en0-1,10:9a:cc:ab:5d:ac then the lease would cat as follows:
The keys in this file make it easier to script figuring out a few things about your active leases, such as when they’re going to expire, when the lease was accepted or even whether or not the system has a lease (especially when it shouldn’t have a lease). But they can cause misreporting. If the information seems “stuck” in the System Preferences pane you can then rm the dhcp lease file.
Note: If the RouterIPAddress cannot be reached, the lease will be delayed in processing, causing the lease to appear to take a long time to be obtained even though it’s looping to hopefully find a more appropriate lease with a RouterIPAddress that can be reached.
For anyone who uses a shell script to reset their IP address, I recommend using the following as the full script, rather than the two lines most commonly used (where $leasefile is the name of your lease file):
ipconfig set en0 BOOTP
ipconfig set en0 DHCP
Being the nerd I am, I called mine ipcfg.exe and end with an echo of the IP:
ipconfig getifaddr en0
Finally, a very effective way I’ve seen people reset leases that are seriously stuck is to swap locations and then swap back. Let’s say your users generally use the “Automatic” location and you have one called “TEMP”. You can use the scselect command to see locations and switch between them. So to switch to TEMP, we would simply:
And then to select Automatic again:
Now be careful with this last little tidbit. As if you have TEMP and don’t have any interfaces active and are running remotely then you might have some walking (or driving) around to do…
Configure DHCP Options
The DHCP Service also has a number of DHCP options available; most notably the options available in the GUI. But what about options that aren’t available in the GUI, such as NTP. Well, using /etc/bootpd.plist, the same file we used to define servers allowed to relay, you can also define other options. These begin with the following keys that can be added into your property list:
dhcp_time_offset (option 2)
dhcp_router (option 3)
dhcp_domain_name_server (option 6)
dhcp_domain_name (option 15)
dhcp_network_time_protocol_servers (option 42)
dhcp_nb_over_tcpip_name_server (option 44)
dhcp_nb__over_tcpip_dgram_dist_server (option 45)
dhcp_nb_over_tcpip_node_type (option 46)
dhcp_nb_over_tcpip_scope (option 47)
dhcp_smtp_server (option 69)
dhcp_pop3_server (option 70)
dhcp_nntp_server (option 71)
dhcp_ldap_url (option 95)
dhcp_netinfo_server_address (option 112)
dhcp_netinfo_server_tag (option 113)
dhcp_url (option 114)
dhcp_domain_search (option 119)
dhcp_proxy_auto_discovery_url (option 252)
But you can also add options by their numerical identifier. To add them, add the following into your /etc/bootpd.plist file and then restart the DHCP service:
In the above, you’d replace the option 120 (SIP) with the option you wish to use. Numbers correspond to options as follows:
0 – Pad
1 – Subnet Mask
3 – Router
4 – Time Server
5 – Name Server
6 – Domain Name Server
7 – Log Server
9 – LPR Server
10 – Impress Server
11 – Resource Location Server
12 – Host Name
13 – Boot File Size
14 – Merit Dump File
15 – Domain Name
16 – Swap Server
17 – Root Path
18 – Extensions Path
19 – IP Forwarding
20 – WAN Source Routing
21 – Policy Filter
22 – Maximum Datagram Reassembly Size
23 – Default IP Time-to-live
24 – Path MTU Aging Timeout
25 – Path MTU Plateau Table
26 – Interface MTU
27 – All Subnets are Local
28 – Broadcast Address
29 – Perform Mask Discovery
30 – Mask supplier
31 – Perform router discovery
32 – Router solicitation address
33 – Static routing table
34 – Trailer encapsulation.
35 – ARP cache timeout
36 – Ethernet encapsulation
37 – Default TCP TTL
38 – TCP keep alive interval
39 – TCP keep alive garbage
40 – Network Information Service Domain
41 – Network Information Servers
42 – NTP servers
43 – Vendor specific information
44 – NetBIOS over TCP/IP name server
45 – NetBIOS over TCP/IP Datagram Distribution Server
46 – NetBIOS over TCP/IP Node Type
47 – NetBIOS over TCP/IP Scope
48– X Window System Font Server
49– X Window System Display Manager
50– Requested IP Address
51– IP address lease time
52– Option overload
53– DHCP message type
54– Server identifier
55– Parameter request list
57– Maximum DHCP message size
58– Renew time value
59– Rebinding time value
62– NetWare over IP Domain Name
63– NetWare over IP information
64– Network Information Service Domain
65– Network Information Service Servers
66– TFTP server name
67– Bootfile name
68– Mobile IP Home Agent
69– Simple Mail Transport Protocol Server
70– Post Office Protocol Server
71– Network News Transport Protocol Server
72– Default World Wide Web Server
73– Default Finger Server
74– Default Internet Relay Chat Server
77– User Class Information
78– SLP Directory Agent
79– SLP Service Scope
80– Rapid Commit
81– Fully Qualified Domain Name
82– Relay Agent Information
83– Internet Storage Name Service
85– NDS servers
86– NDS tree name
87– NDS context
88– BCMCS Controller Domain Name list
89– BCMCS Controller IPv4 address list
91– Client Last Transaction Time
92– Associated IP
93– Client System Architecture Type
94– Client Network Interface Identifier
95– LDAP, Lightweight Directory Access Protocol
97– Client Machine Identifier
98– Open Group User Authentication
100 – IEEE 1003.1 TZ String
101 – Reference to the TZ Database
112 – NetInfo Parent Server Address
113 – NetInfo Parent Server Tag
116 – Auto-Configure
117 – Name Service Search
118 – Subnet Selection
119 – DNS domain search list
120 – SIP Servers DHCP Option
121 – Classless Static Route Option
123 – GeoConfiguration
124 – Vendor-Identifying Vendor Class
125 – Vendor-Identifying Vendor Specific
128 – TFPT Server IP address
129 – Call Server IP address
130 – Discrimination string
131 – Remote statistics server IP address
132 – 802.1P VLAN ID
133 – 802.1Q L2 Priority
134 – Diffserv Code Point
135 – HTTP Proxy for phone-specific applications
136 – PANA Authentication Agent
139 – IPv4 MoS
140 – IPv4 Fully Qualified Domain Name MoS
150 – TFTP server address
176 – IP Telephone
220 – Subnet Allocation
221 – Virtual Subnet Selection
252 – Proxy auto-discovery
254 – Private use
255 – End
And that’s it. This whole thing can take 5-10 minutes. In fact, if you were using macOS Server then just backup your bootp.plist and copy it to another machine, assuming the network interface (en0, en1, etc) hasn’t changed. Or change it if it has. But, for all the other weird stuff that was in the UI (or even the stuff that was never in the UI), here’s a pretty lengthy explanation of how to manage all of it from the command line. Building a GUI to configure these wouldn’t be that hard either, assuming you have bootp built into the Mac for awhile (and I think you need it for Internet sharing). Oh, that reminds me, Internet sharing is likely to overwrite any custom settings, so once you hack the plist, don’t go back to System Preferences-based management.