Reporting on application usage is an interesting topic on the Mac. This is done automatically with a number of device management solutions. But there are things built into the OS that can help as well. mdls "/Applications/Xcode.app" -name kMDItemLastUsedDate | awk '{print $3}' Now, if you happen to also need the time, simply add ,$4 to the end of your awk print so you can see the next position, which is the time. Additionally, a simple one-liner to grab the foreground app via AppleScript is: osascript -e 'tell application "System Events"' -e 'set frontApp to name of first application process whose frontmost is true' -e 'end tell' That’s pretty much…
-
-
Managing Virus Scans With ClamAV
There are a number of solutions on the market for scanning a Mac for files that have become infected with a virus or macro-virus. Many of these have a negative return on investment. So customers can instead go the open source route to scan files and quarantine them. And customers can use Jamf Pro to enable doing so. This page is meant to provide a quick and dirty guide to doing so, along with how this might be packaged and potentially tracked with Jamf Pro. First, we’ll install and configure a free tool called clamav. There are a number of ways to install clam. For this example, just to get…
-
A Service-By-Service Guide For Moving Away From macOS Server
I’ve been making guides to macOS Server since Server 2: Mountain Lion Server (Server 2) Yosemite Server (Server 3) Mavericks Server (Server 4) OS X Server 5 (for El Capitan) macOS Server 5.2 (for macOS Sierra) macOS Server 5.4 (for High Sierra) And along the way, I’ve also sold plenty of books on Mac Servers and gotten a lot of opportunities I might not have gotten otherwise. So thank you to everyone for joining me on that journey. After teaching so many how to use the services that Apple made available in their server operating system, when they announced they’d no longer be making many of the services my readers…
-
Using Apple’s Built-In Malware Removal Tool (MRT)
macOS now comes with a vulnerability scanner called mrt. It’s installed within the MRT.app bundle in /System/Library/CoreServices/MRT.app/Contents/MacOS/ and while it doesn’t currently have a lot that it can do – it does protect against the various bad stuff that is actually available for the Mac. To use mrt, simply run the binary with a -a flag for agent and then a -r flag along with the path to run it against. For example, let’s say you run a launchctl command to list LaunchDaemons and LaunchAgents running: launchctl list And you see something that starts with com.abc. Let me assure you that nothing should ever start with that. So you can scan it using…
-
Managing Google SafeBrowsing in Firefox for Mac
Firefox describes their malware posture at https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work which heavily leverages Google SafeBrowsing, as do many a browser. Settings for SafeBrowsing are set in the browser.safebrowsing.downloads.remote.enabled pref. To lock this pref, you would need to create an autoconfig.js file in /Applications/Firefox.app/Contents/Resources/defaults/pref that points to a firefox.cfg file with a lock pref in it. To do so, create the autoconfig.js file and paste in these settings: // Configure SafeBrowsing pref("general.config.filename", "firefox.cfg"); pref("general.config.obscure_value", 0); Then create the firefox.cfg file and paste in these settings: // Configuring SafeBrowsing lockPref("browser.safebrowsing.downloads.remote.enabled", TRUE) Live Firefox preferences can be seen at /Users/charles.edge 1/Library/Application Support/Firefox/Profiles/*.default. Because SafeBrowsing is enabled by default, you shouldn’t see it listed unless it’s been disabled. But you can confirm it’s doing its…
-
Quick and Dirty OpenBSM Auditing In macOS
OpenBSM is a subsystem that has been installed on the Mac for some time. OpenBSM provides that ability to create and read audit logs based on the Common Criteria standards. Audit Logs The quick and easy way to see what OpenBSM is auditing is to cat the /etc/security/audit_control file: cat /etc/security/audit_control The output displays the directory of audit logs, as well as what is currently being audited. By default the configuration is as follows: ## $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $#dir:/var/auditflags:lo,aaminfree:5naflags:lo,aapolicy:cnt,argvfilesz:2Mexpire-after:10Msuperuser-set-sflags-mask:has_authenticated,has_console_accesssuperuser-clear-sflags-mask:has_authenticated,has_console_accessmember-set-sflags-mask:member-clear-sflags-mask:has_authenticated You can then see all of the files in your audit log, using a standard ls of those ls /var/audit As you can see, the files are then stored with a date/time stamp naming convention. …
-
Notes On Google SafeBrowsing And Safari
Most phishing sites follow a known pattern. And people like to flag bad sites. So Google and a few other organizations, such as stopbadware.org have a collection of feeds that can be leveraged by software vendors to provide a warning or flat-out block potentially fraudulent sites. If a piece of malware is found, even if buried deep in a site, the site will likely get picked up by a robot or reported by a user. Robots can pick up a lot, as people who exploit WordPress sites and stuff like that are often after playing a numbers game. Harvesting hundreds of thousands or email address and sending phishing emails. It only…
-
Check Versions of Common Apps and Services on macOS
Just some little one-liners to grab the version of a few common Apple services/built-in apps you might need the version of for another project I’m working on kinda’: cups: cups-config –version Finder: mdls -name kMDItemVersion /System/Library/CoreServices/Finder.app | cut -d ‘”‘ -f2 Help Viewer: mdls -name kMDItemVersion /System/Library/CoreServices/HelpViewer.app | cut -d ‘”‘ -f2 iBooks Author: mdls -name kMDItemVersion /Application/iTunes\ Author.app | cut -d ‘”‘ -f2 ical/Calendar: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2 ichat/Messages: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2 iMovie: mdls -name kMDItemVersion /Applications/iMovie.app | cut -d ‘”‘ -f2 installer: /usr/sbin/installer -vers Photos/iPhoto: mdls -name kMDItemVersion /Applications/Photos.app | cut -d ‘”‘ -f2 iTunes: mdls -name…
-
Scripted Lookup Of CVEs For A Version of macOS
The Mac comes with a number of tools for querying version numbers of things like apps and operating systems. First, let’s look at operating systems. The quickest way to derive the version of an operating system would be sw_vers -productVersion It then becomes trivial to pipe these into other language provided you can reach them from within a script. For example, if you import os into a python script, you can use the sw_vers command: import osos.system('sw_vers -productVersion') Or to grab the version of the OS you could import a function just for that: version = platform.mac_ver() So in the following example, we’ll #!/usr/bin/python import sys, urllib, json, platform if…
-
MacTech: We’re Building Up To Something, But What?
My session from MacTech 2017.