• Mac OS X,  Mac Security

    Managing Virus Scans With ClamAV

    There are a number of solutions on the market for scanning a Mac for files that have become infected with a virus or macro-virus. Many of these have a negative return on investment. So customers can instead go the open source route to scan files and quarantine them. And customers can use Jamf Pro to enable doing so. This page is meant to provide a quick and dirty guide to doing so, along with how this might be packaged and potentially tracked with Jamf Pro. First, we’ll install and configure a free tool called clamav. There are a number of ways to install clam. For this example, just to get…

  • Mac OS X,  Mac OS X Server,  Mac Security

    A Service-By-Service Guide For Moving Away From macOS Server

    I’ve been making guides to macOS Server since Server 2: Mountain Lion Server (Server 2) Yosemite Server (Server 3) Mavericks Server (Server 4) OS X Server 5 (for El Capitan) macOS Server 5.2 (for macOS Sierra) macOS Server 5.4 (for High Sierra) And along the way, I’ve also sold plenty of books on Mac Servers and gotten a lot of opportunities I might not have gotten otherwise. So thank you to everyone for joining me on that journey. After teaching so many how to use the services that Apple made available in their server operating system, when they announced they’d no longer be making many of the services my readers…

  • Mac OS X,  Mac Security

    Using Apple’s Built-In Malware Removal Tool (MRT)

    macOS now comes with a vulnerability scanner called mrt. It’s installed within the MRT.app bundle in /System/Library/CoreServices/MRT.app/Contents/MacOS/ and while it doesn’t currently have a lot that it can do – it does protect against the various bad stuff that is actually available for the Mac. To use mrt, simply run the binary with a -a flag for agent and then a -r flag along with the path to run it against. For example, let’s say you run a launchctl command to list LaunchDaemons and LaunchAgents running: launchctl list And you see something that starts with com.abc. Let me assure you that nothing should ever start with that. So you can scan it using…

  • Mac OS X,  Mac Security

    Managing Google SafeBrowsing in Firefox for Mac

    Firefox describes their malware posture at https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work which heavily leverages Google SafeBrowsing, as do many a browser. Settings for SafeBrowsing are set in the browser.safebrowsing.downloads.remote.enabled pref. To lock this pref, you would need to create an autoconfig.js file in  /Applications/Firefox.app/Contents/Resources/defaults/pref that points to a firefox.cfg file with a lock pref in it. To do so, create the autoconfig.js file and paste in these settings: // Configure SafeBrowsing pref("general.config.filename", "firefox.cfg"); pref("general.config.obscure_value", 0); Then create the firefox.cfg file and paste in these settings: // Configuring SafeBrowsing lockPref("browser.safebrowsing.downloads.remote.enabled", TRUE) Live Firefox preferences can be seen at /Users/charles.edge 1/Library/Application Support/Firefox/Profiles/*.default. Because SafeBrowsing is enabled by default, you shouldn’t see it listed unless it’s been disabled. But you can confirm it’s doing its…

  • Mac OS X

    Command Line Fu: Open Hidden Apps In macOS

    macOS allows you to launch an app but in a hidden state. To do so, use the open command to open the app and then use the -a flag to specify the path of the app and –hide after the path to the app, as follows: /usr/bin/open -a /Applications/Notes.app --hide

  • Mac OS X,  Mac Security

    Quick and Dirty OpenBSM Auditing In macOS

    OpenBSM is a subsystem that has been installed on the Mac for some time. OpenBSM provides that ability to create and read audit logs based on the Common Criteria standards. Audit Logs The quick and easy way to see what OpenBSM is auditing is to cat the /etc/security/audit_control file: cat /etc/security/audit_control The output displays the directory of audit logs, as well as what is currently being audited. By default the configuration is as follows: ## $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $#dir:/var/auditflags:lo,aaminfree:5naflags:lo,aapolicy:cnt,argvfilesz:2Mexpire-after:10Msuperuser-set-sflags-mask:has_authenticated,has_console_accesssuperuser-clear-sflags-mask:has_authenticated,has_console_accessmember-set-sflags-mask:member-clear-sflags-mask:has_authenticated You can then see all of the files in your audit log, using a standard ls of those  ls /var/audit As you can see, the files are then stored with a date/time stamp naming convention. …

  • Mac OS X,  Mac Security

    Check Versions of Common Apps and Services on macOS

    Just some little one-liners to grab the version of a few common Apple services/built-in apps you might need the version of for another project I’m working on kinda’: cups: cups-config –version Finder: mdls -name kMDItemVersion /System/Library/CoreServices/Finder.app | cut -d ‘”‘ -f2 Help Viewer: mdls -name kMDItemVersion /System/Library/CoreServices/HelpViewer.app | cut -d ‘”‘ -f2 iBooks Author: mdls -name kMDItemVersion /Application/iTunes\ Author.app | cut -d ‘”‘ -f2 ical/Calendar: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2 ichat/Messages: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2 iMovie: mdls -name kMDItemVersion /Applications/iMovie.app | cut -d ‘”‘ -f2 installer: /usr/sbin/installer -vers Photos/iPhoto: mdls -name kMDItemVersion /Applications/Photos.app | cut -d ‘”‘ -f2  iTunes: mdls -name…

  • Mac OS X,  Mac Security

    Scripted Lookup Of CVEs For A Version of macOS

    The Mac comes with a number of tools for querying version numbers of things like apps and operating systems. First, let’s look at operating systems. The quickest way to derive the version of an operating system would be  sw_vers -productVersion It then becomes trivial to pipe these into other language provided you can reach them from within a script. For example, if you import os into a python script, you can use the sw_vers command: import osos.system('sw_vers -productVersion') Or to grab the version of the OS you could import a function just for that: version = platform.mac_ver() So in the following example, we’ll  #!/usr/bin/python import sys, urllib, json, platform if…