XProtectWatch 1.1.0 (now with terminal-notifier support)

I have updated XProtectWatch to now utilize terminal-notifier “a command-line tool to send Mac OS X User Notifications, which are available in Mac OS X 10.8”. To install terminal-notifier is pretty simple, as I have also created a terminal-notifier.sh script that you can run that will download the latest terminal-notifier zip file from github.com, unzip, and move to your /Applications folder (where my script expect terminal-notifier to exist).

rollBack (hack)

In addition to using terminal-notifier, I’ve also created a rollBack.sh script. As noted in XProtectWatch’s README.md, THIS IS A HACK SCRIPT. I’m really just searching for the last two files within the XProtectWatch Shared folder, removing them, then taking the 2nd to last version and copying them back into the system. They will then be updated the next time sudo /usr/libexec/XProtectUpdater runs, which will then trigger the watchProtect.sh script to run. I created mostly for myself to test the terminal-notification function without having to wait for Apple to update their files.

LaunchAgent shuffle

Lastly, if you had downloaded these scripts before, be sure to take note that I had to move the /Library/LaunchDeamon to ~/Library/LaunchAgent in order for terminal-notifier to work. The reason is notification that were triggered by a system process didn’t forward to the current user, therefore, a user’s account had to load the plist file.

what does it take for all these updates? git clone https://github.com/stonyrivertech/XProtectWatch.git

AFP

Log files

• /Library/Logs/AppleFileService/AppleFileServiceAccess.log
• /Library/Logs/AppleFileService/AppleFileServiceError.log

What?! You don’t have these logs? You might need to turn them on as by default they are disabled.

1

sudo serveradmin settings afp:activityLog = yes

This will enable logging for the following items, and rotate the logs on a weekly basis:

• logLogin
• logLogout
• logCreateDir
• logCreateFile
• logOpenFork
• logDelete

DNS

Log files

• /Library/Logs/named.log

The file contains everything you would want to know regarding your DNS environment, such as reloading of configurations, zones, shutting down, and transferring to any DNS slaves. You will not see these log messages on a slave DNS server, so you must have access to the master. Notice, you will not see WHAT DNS record was created below (it was delete.rummel.co).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

11-Mar-2013 14:52:41.751 reloading configuration succeeded
11-Mar-2013 14:52:41.752 reloading zones succeeded
11-Mar-2013 15:27:02.757 shutting down
11-Mar-2013 15:27:02.757 stopping command channel on 127.0.0.1#54
11-Mar-2013 15:27:02.757 no longer listening on 127.0.0.1#53
11-Mar-2013 15:27:02.757 no longer listening on 192.168.1.121#53
11-Mar-2013 15:27:02.761 exiting
11-Mar-2013 15:27:02.860 zone 0.0.127.in-addr.arpa/IN/com.apple.ServerAdmin.DNS.public: loaded serial 1997022700
11-Mar-2013 15:27:02.861 zone 1.168.192.in-addr.arpa/IN/com.apple.ServerAdmin.DNS.public: loaded serial 2013031101
11-Mar-2013 15:27:02.862 zone rummel.co/IN/com.apple.ServerAdmin.DNS.public: loaded serial 2013031101
11-Mar-2013 15:27:02.862 zone localhost/IN/com.apple.ServerAdmin.DNS.public: loaded serial 42
11-Mar-2013 15:27:02.862 zone justinrummel.net/IN/com.apple.ServerAdmin.DNS.public: loaded serial 2013031101
11-Mar-2013 15:27:02.862 managed-keys-zone ./IN/com.apple.ServerAdmin.DNS.public: loaded serial 0
11-Mar-2013 15:27:02.863 running
11-Mar-2013 15:27:02.863 zone 1.168.192.in-addr.arpa/IN/com.apple.ServerAdmin.DNS.public: sending notifies (serial 2013031101)
11-Mar-2013 15:27:02.863 zone rummel.co/IN/com.apple.ServerAdmin.DNS.public: sending notifies (serial 2013031101)
11-Mar-2013 15:27:02.863 zone justinrummel.net/IN/com.apple.ServerAdmin.DNS.public: sending notifies (serial 2013031101)
11-Mar-2013 15:27:02.881 client 192.168.1.122#51602: view com.apple.ServerAdmin.DNS.public: transfer of '1.168.192.in-addr.arpa/IN': AXFR-style IXFR started
11-Mar-2013 15:27:02.881 client 192.168.1.122#51602: view com.apple.ServerAdmin.DNS.public: transfer of '1.168.192.in-addr.arpa/IN': AXFR-style IXFR ended
11-Mar-2013 15:27:03.369 client 192.168.1.122#63695: view com.apple.ServerAdmin.DNS.public: received notify for zone '1.168.192.in-addr.arpa'
11-Mar-2013 15:27:03.373 client 192.168.1.122#51603: view com.apple.ServerAdmin.DNS.public: transfer of 'rummel.co/IN': AXFR-style IXFR started
11-Mar-2013 15:27:03.374 client 192.168.1.122#51603: view com.apple.ServerAdmin.DNS.public: transfer of 'rummel.co/IN': AXFR-style IXFR ended
11-Mar-2013 15:27:03.374 client 192.168.1.122#51604: view com.apple.ServerAdmin.DNS.public: transfer of 'justinrummel.net/IN': AXFR-style IXFR started
11-Mar-2013 15:27:03.374 client 192.168.1.122#51604: view com.apple.ServerAdmin.DNS.public: transfer of 'justinrummel.net/IN': AXFR-style IXFR ended
11-Mar-2013 15:27:03.375 client 192.168.1.122#64866: view com.apple.ServerAdmin.DNS.public: received notify for zone 'rummel.co'
11-Mar-2013 15:27:03.875 client 192.168.1.122#56747: view com.apple.ServerAdmin.DNS.public: received notify for zone 'justinrummel.net'

Installer

Log files

• /var/log/install.log

Did you just double click a “.pkg” file (or something that looks like yellow junk in a box)? The actions of that installation are recorded here. You could also install items by using the installer command (a scripting FYI).

Open Directory

Log files

• /Library/Logs/slapconfig.log

  Setting up and configuring Open Directory services

• /Library/Logs/PasswordService/ApplePasswordServer.Service.log

  Successes and failures authenticating with local network users

• /Library/Logs/PasswordService/ApplePasswordServer.Error.log

  Errors in the Password Service

• /var/log/slapd.log

  LDAP services

• /var/log/opendirectoryd.log

  Core Open Directory functionality

There is so much going on in terms of Open Directory it’s hard to begin, as it deals with:

1. LDAP (OpenLDAP specifically)
2. Password (Password Service)
3. Kerberos (now Heimdal vs. MIT Kerberos)

You can read about Open Directory on Apple’s man page opnedirectoryd, or reference the error codes in Apple’s developer section. There are some key troubleshooting steps I usually perform when trying to debug authentication issues:

1. ping -c 4 ODM.IP.address (it should work)
2. host ODM.IP.address (it should report back your server’s fully qualified domain name)
3. host ODM.domain.tld (it should report back only one IP address)
4. open afp://ODM.domain.tld (you should get an authentication prompt)
5. dscl /Search -read /Users/*username* NFSHomeDirectory (should return “/Network/Servers/server.domain.tld/Volumes/path/to/username”)
6. dscl /Search -read /Users/*username* HomeDirectory (should return “<home_dir><url>afp://server.domain.tld/Users</url><path>username</path></home_dir>”)
7. ntpq -p; ntpdc -c loopinfo (do this on the client and server to verify NTP settings are using the same server)
8. kinit *username*@ODM.SERVER.TLD (this should be your Kerberos realm so the FQDN is in all caps)
9. klist -a (Verify TGT and Auth time)

Remember, you can always increase the log level of Open Directory by following Apple’s kbase article and issue:

1
2
3
4
5

# debug
odutil set log debug

# return to default
odutil set log default

* The logging level will persist through restarts.
* Other logging levels are also available: “alert”, “critical”, “error”, “warning”, “notice”, and “info”.
* For more information please refer to the manual pages for the odutil utility (such as “man odutil”).
* Generally, debug logging should only be used to troubleshoot Open Directory service-related issues because debug logging can generate large amounts of log messages. If you need more detailed information about Open Directory events but do not wish to use “debug”, consider using “info” instead.

System

Log files

• /var/log/system.log

Apple decided to stop utilizing the security.log file for ‘interesting’ items, and now just creates noise in system.log. Grep for the following items:

• grep sudo /var/log/system.log

  Anyone using the ‘sudo’ command for elevated privileges

• grep backup /var/log/system.log

  Time Machine ‘backup’ for the server to a secondary drive (not the Time Machine backup service)

• grep kernel /var/log/system.log

  Kernel messages (such as sandboxd lookup errors)

• grep bootp /var/log/system.log

  NetBoot and DHCP notices

• grep kdc /var/log/system.log

  Kerberos log messages for individuals who authenticate for services

Web Services

Log files

General Apache Info

• /var/log/apache2/access_log

  You may see these two files symlinked in Console.app under /Library/Logs/ => “WebServer”

• /var/log/apache2/error_log

WebDAV

• /Library/Logs/AppleFileService/AppleFileServerError.log
• /Library/Logs/WebDAVSharing.log

CalDAV

• /var/log/caldavd/access.log

Profile Manager

• /Library/Logs/ProfileManager/devicemgrd.log
• /Library/Logs/ProfileManager/profilemanager.log
• /Library/Logs/PostgreSQL/PostgreSQL.log

• /Library/Logs/PostgreSQL/PostgreSQL_server_Services.log

  If you have ever had to “redo” some of your work and Postgress, you needed to sudo serveradmin start postgres_server to get things done. There is a log for that.

VPN

Log files

• /var/log/ppp/vpnd.log

Who just logged into your network? Look for “authorized for access”:

1

grep "authorized for access" /var/log/ppp/vpnd.log

Sources

• AFP Logging by Charles Edge
• Server Essentials 10.8 By Arek Dreyer, Ben Greisler
• Post Title by Ren and Stimpy

I had the interesting opportunity of installing the Casper Suite on an Amazon EC2 Cloud server and wanted to post my findings on the subject for other future “cloud” users. Overall the process is very simple, as you can configure a Windows 2008 R2 Server or Linux server via one of Amazon’s Quick Launch Configurations. I’ll review technically what was needed for the environment along with a couple of “gotchas”.

I’ll assume that you have (or have the means of getting) an EC2 account with Amazon with the proper ports opened for security {22 (ssh), [80, 443] (http(s)), 445 (smb), 8443 (Tomcat)}. For this installation we used an Ubuntu Server 12.04 LTS (Long Term Support) Quick Launch Configuration (which does not come with a GUI… ALL command line… just the way I like it!).

Environment

JSS

• EC2 (Amazon Elastic Compute Cloud) Amazon Micro instance was sufficient to host the JSS even though it technically doesn’t meet the requirements listed by JAMF in terms of RAM and CPU. Obviously as your environment grows, so will your server resource needs. The main point is you can get something started VERY cheaply.
• Created a 1TB EBS (Amazon Elastic Block Store) drive to store data. Note, EC2 instances that are greater than “micro” have “local instance storage”. This storage will be deleted if the server is restarted (think of it as a giant /tmp folder). Therefore, it is critical… no matter what EC2 instance type you create (micro, small, large, etc) that you create an EBS drive.
• Attached the EBS to our EC2 server via Amazon’s Management Console.

Our EC2 was running a fresh install from Amazon’s images of Ubuntu Server 12.04 LTS, and we performed the following items.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

# Update the default image
sudo apt-get update
sudo apt-get upgade

# Install JDK for Tomcat
sudo apt-get install openjdk-6-jdk

# Installed mysql for JSS.  This will ask for a password for root.
# Be sure to following JAMF's documentation to create the MySQL database tables
sudo apt-get install mysql-server

# scp JSSInstallerLinux8.63.zip scp to Ubuntu Amazon Server
# this requires using the Amazon's .pem certificate
# scp -i /path/to/amazon.pem JSSInstallerLinux8.63.zip ubuntu@PUBLIC.IP

# Format the EBS 1TB vol, create mount point of "CasperShare", modify the /etc/fstab in case the system reboots, mounted 1TB drive
sudo mkfs ext3 /dev/xvdf
sudo mkdir -m 000 /CasperShare
echo "/dev/xvdf /CasperShare auto noatime 0 0" | sudo tee -a /etc/fstab
sudo mount /CasperShare

# Installed apache2 for http downloads
# Created a symlink from /var/www/CasperShare to /CasperShare
sudo apt-get install apache2

# Created two new users: casperadmin and casperuser
sudo useradd -d /home/casperadmin -m casperadmin
sudo passwd casperadmin

# Installed Samba for SMB mounts
sudo apt-get install samba

#   Added smbpassword for casperadmin
smbpasswd -a casperadmin

#   Added CasperShare SMB folder 
;[accounts]
; comment = CasperShare
; path = /CasperShare
; valid users = casperadmin
; public = no
; writable = yes

Notes

Casper Remote

Casper Remote will not work. For some reason the JSS reports everyone’s IP address as the public WAN ip address instead of looking at ipconfig getifaddr en0 or some other sophisticated method to determine the IP address of a machine during the “every15” trigger. This information could be collected as an Extension Attribute, but Casper Remote won’t read this data for remote actions (such as pushing Application Packages and/or VNC services).

Distribution Points

You still need to create a Distribution point for “CasperShare” in the JSS using SMB services for upload, and HTTP services for download. This will allow “you” as the Casper Admin to upload your Scripts, Packages, and other management items to your EBS.

The Apache2 HTTP service is needed for your users to download your packages that have been uploaded by Casper Admin.app. I am assuming that the need of an EC2 server is because your user base is diverse and spread out across varying degrees of counties, states, or countries.

NetBoot

You will not be able to NetBoot for imaging with this setup. Even IF you got a NetSUS VM running locally on your LAN or download and install Server.app on a spare Apple machine, you don’t have a Base OS to upload in Casper Admin.app. If you wanted to waste the space (and time to upload) a Base OS and then use Target Disk mode for imaging, that could be investigated, but I would opt for using Recovery HD and then enroll your devices via URL or QuickAdd.pkg.

Software Update

This would be a great scenario to utilize NetSUS, or better yet install Reposado in a separate micro EC2 install to manage Apple Software Updates. You can configure Reposado to be your primary index.sucatalog which points to Appple’s download servers (thus not requiring you to store any data). With Reposado combined with the Open Source GUI project Margarita you can have an easily deployable and maintainable solution for Software Updates. You can find a great “How To” to setup Reposado and Margarita at Joe Wollard’s site, which is also getting some feedback on Reposado’s Google Group forum.

Clustering

You can cluster your JSS with multiple which may help with the IP addressing elements for Casper Remote, however, creating a cluster for JSS is beyond this article. You can find some information on JAMF Nation by searching for “DMZ” or “Cluster”. Such as:

• Installing a JSS Web Application in the DMZ
• Setting up A Clustered JSS

Additional Thoughts

If you have any suggestions on Samba security I would greatly appreciate it. The default setup seems that only “printers” is advertised so it would be simple to disable that broadcast while everything else is mostly locked down. You could always perform sudo service smb [stop | start] for times when you want to upload via Casper Admin.app if you didn’t like the idea of having a smb in the cloud.

On Feb 19, 2013 11:48 PM Topher Kessler releases his article for CNET that New Mac malware opens secure reverse shell is out, “but has not yet been determined to be much of a threat”. His article properly sources Intego’s original article on the matter. In short it uses a modified implementation of openssl to establish a secure connection to a remote server thus creating a botnet or Command and Control (C&C) environment.

Things like this is why Apple updates XProtect and they should update it often (not to mention vulnerable plugins like Java or Flash). I’ve written about XProtect before and how it works back in 2011. Just letting you know that in the mist of Mac SysAdmin pains of XProtect (such as disabling Java or Flash overnight) it can also work FOR you. There have been a couple of GitHub projects that are trying to help Mac SysAdmins in managing XProtect which can be found at:

• XProtect Packager by Tim Sutton
• YProtect by Ryan Manly
• DisableXProtectUpdater by Greg Neagle
• Managing Java browser plug-in settings by Rich Trouton
• Everything you’ll wish you didn’t know about disabling Java 7 updates by Tim Sutton

I’m not recommending one or the other, I’m just giving some quick links. One item I will point out is that I do keep track of XProtect for my personal system via a quick and dirty LaunchDaemon that watches the XProtect.plist file, and when it changes it copies that version to /Users/Shared/XProtect/ folder, this way I can always do a diff between the last two files to see what has changed.

You can clone a copy of XProtectWatch for your personal needs by going to https://github.com/stonyrivertech/XProtectWatch.

A final option is to utilize changedection.com and simply ‘watch’ for Apple’s clientConfiguration.plist file to be updated. I’ve established one for version 3 of clientConfiguration here.

To see the diff for today’s Xprotect update here are the resulting diff gist’s:

Background

Confession, I FORCED my wife to be a “switcher”. Yes, I forced her to start using OS X, because Christmas 2012 I purchased a new laptop for her at her request (she didn’t specify a brand… and um… yeah… I’m not buying a PC). This may come to a shock for some people as:

• Using a Macintosh has been my primary choice since 1995 when I was a Music Major at Ball State University.
• How can a Mac Only user of the past five years (not really touching anything more recent than XP) be married to someone who HATES OS X!?

TL;DR She’s stubborn.

I’m now the 24/hr Apple helpdesk and the target of ”why does Apple do this” questions, so I thought to make the best of the situation and start documenting items for future switchers or admins of switchers.

First up, Screen Shots

Issue

Screen Shots is a interesting item, because Mac users really despise most Windows users solution to screen shots which is ”embed a picture into a word document”. Note to all Windows users, this is WRONG (send the picture, not a word document with a picture). To better understand why this perdicament exists, lets disect the difference between the two platforms between the “Screen Shot Capturing” user’s perspective vs. the end recipient:

Windows Users

Taking a screen shot is easy and that is the key element of windows user’s behavior, the method of getting a screen shot is very simple for Windows users as it involves a keyboard button.

How much easier can it be than ‘push this button’ if I want to get a screen shot?

The issue is that “Print Screen” button captures the picture to the clipboard, and that is where most Windows users begin to the horrible idea of embedding this picture into a document which compresses the image and degrade quality.

Mac Users

Mac users have the the excellent output of saving their screen shots automatically to the Desktop. You just need to make sure you can contort your left hand to hold one of the keyboard combinations to take that picture. Even Apple describes the ability to capture screen shots as:

Okay, you probably already know the ol’ Command-Shift-3 shortcut for taking a screen grab of your entire screen, and you may even know about Command-Shift-4, which gives you a crosshair cursor so you can choose which area of the screen you want to capture. But perhaps the coolest, most-secret hidden capture shortcut is Control-Command-Shift-3 (or 4), which, instead of creating a file on your desktop, copies the capture into your Clipboard memory, so you can paste it where you want.

“just use the ol’ Command-Shift-4 w/ a spacebar”, that is what makes things difficult for a switcher.

Solutions

There are a couple of solutions for a Switcher, it just depends on what they want to perform:

• Grab; You can place the Grab Application (in the Utilities folder) in the dock and let the ‘switcher’ know that anytime (s)he needs to take a screenshot, just start this application as there are plenty of options in the Capture dropdown menu option.

• Preview; if your ‘switcher’ want to modify the files such as placing text or arrows on the screen shot, Preview may be a good choice as you can use the File => Take Screen Shot menu option and use Previews Annotate options under the Tools menu dropdown.

• Automator; This requires a little work for yourself, but it solve two things that I didn’t like about the other two options:

  • Grab would take up a Dock icon placement. Why crowd that area?
  • Grab and Preview are additional applications to open when most likely the switcher want to instantly take a screen shot of the application they are currently using. Why open a separate application?

  A simple Automator script would allow your switcher to use the Services option in every application to grab their screenshots. Yes, this may take away some of their options, but did they have any options when using the “Print Screen” button?

Here are the steps:

1. Create a new “Service” (the one shaped like a gear) Automator document
2. Select “Run Shell Script” as your only workflow item
3. At the top, Service receives “no input” which is the last item in the dropdown field and be sure to leave the “Any Application” which is the default setting.
4. Copy/paste this code

1
2

fileDate=`date '+%Y.%m.%d-%T'`
screencapture -ioW ~/Desktop/ScreenShot_"${fileDate}".png

This will capture the current application that is running in interactive mode with the ‘window capture’ mode as default vs. the crosshairs. It will save the resulting file to the user’s desktop with the current date/time stamp just in case they are taking multiple pictures.

Save the workflow which will prompt for a name, choose something simple like “Screen Capture Window” and it will now be available for every application that your switcher uses under the “Application Name” => “Services” => “Screen Capture Window” (something easy for them to remember and repeat as needed).