Securing MacOS

[anitsh]

Resource

• [ ] https://developer.apple.com/documentation/corefoundation
• [ ] https://github.com/drduh/macOS-Security-and-Privacy-Guide
• [ ] https://stackoverflow.com/questions/68266115/what-is-maheshsmacbookpro-bluet-on-dev-in-macos
• [ ] https://www.funkyspacemonkey.com/how-to-easily-audit-and-fix-macos-security-settings
• [ ] https://clo.ng/blog/osquery_reverse_shell
• [ ] https://osxdaily.com/2015/02/19/enable-disable-root-command-line-mac
• [ ] https://support.apple.com/en-us/HT202731 Diagnostics

[anitsh]

While checking open ports, found kdc running

sudo lsof -PiTCP -sTCP:LISTEN

kdc 131 root 5u IPv6 0x7be3789b8d14e157 0t0 TCP :88 (LISTEN) kdc 131 root 7u IPv4 0x7be3789b8d158207 0t0 TCP :88 (LISTEN)

Disabled it. SSH works fine.

Appendix C. Understanding the Local KDC

The local Key Distribution Center (LKDC) feature, new to Mac OS X v10.5 and Mac OS X Server v10.5, facilitates single sign-on for Apple Filing Protocol (AFP) file sharing and screen sharing. Because the LKDC shows up when you look at various configuration files, you may want to understand how it fits in with the other authentication services. The bottom line is that once your computer running Mac OS X or Mac OS X Server joins a Kerberos realm, its services no longer use the LKDC, and it shouldn’t interfere with authentication.

Every computer running Mac OS X v10.5 and Mac OS X Server v10.5 has its own LKDC that facilitates access to the Kerberized services running locally.

Enable/Disable

Disable: sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist Enable: sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist Remove: sudo launchctl remove /System/Library/LaunchDaemons/com.apple.Kerberos.kdc.plist

Resource

• [x] https://www.oreilly.com/library/view/apple-training-series/9780321591067/apc.html
• [x] https://gist.github.com/zhiguangwang/98e58c7b696e2d120bff9e8b57dc1e20
• [ ] https://support.apple.com/lv-lv/guide/deployment-reference-macos/apdf5b35aad2/web
• [ ] https://computing.help.inf.ed.ac.uk/kerberos-mac-os-x
• [ ] https://uit.stanford.edu/service/ess/mac/docs/kerberos_macOS
• [ ] https://support.apple.com/lv-lv/guide/deployment-reference-macos/apdf5b35aad2/web

[anitsh]

Disable cupsd

• sudo launchctl unload -w /System/Library/LaunchDaemons/org.cups.cupsd.plist
• sudo launchctl list (org.cups.cupsd won't be up there. It is now disabled)
• sudo launchctl load -w /System/Library/LaunchDaemons/org.cups.cupsd.plist
• sudo launchctl remove /System/Library/LaunchDaemons/org.cups.cupsd.plist

[anitsh]

Safe-mode

Start In Safe-mode

1. Start or restart your Mac, then immediately press and hold the Shift key. The Apple logo appears on your display. If you don't see the Apple logo, learn what to do.
2. Release the Shift key when you see the login window. If your startup disk is encrypted with FileVault, you might be asked to log in twice: once to unlock the startup disk, and again to log in to the Finder.

Leave safe mode,

Restart your Mac without pressing any keys during startup.

[anitsh]

Serial device tty and cu

Each serial device shows up twice in /dev, once as a tty. and once as a cu.. What is the cu. device? How does it differ from the tty. device?

http://lists.berlios.de/pipermail/gpsd-dev/2005-April/001288.html : The idea is to supplement software in sharing a line between incoming and outgoing calls. The callin device (typically /dev/tty) is used for incoming traffic. Any process trying to open it blocks within the open() call as long as DCD is not asserted by hardware (i.e. as long as the modem doesn't have a carrier). During this, the callout device (typically /dev/cu -- cu stands for "calling unit") can be freely used. Opening /dev/cu* doesn't require DCD to be asserted and succeeds immediately. Once succeeded, the blocked open() on the callin device will be suspended, and cannot even complete when DCD is raised, until the cu device is closed again.

That way, you can have a getty listening on /dev/tty*, and can still use /dev/cu* without restrictions.

[anitsh]

pfctl Firewall

The pfctl utility communicates with the packet filter device. It allows ruleset and parameter configuration and retrieval of status information from the packet filter.

Packet filtering restricts the types of packets that pass through network interfaces entering or leaving the host based on filter rules as described in pf.conf(5). The packet filter can also replace addresses and ports of packets. Replacing source addresses and ports of outgoing packets is called NAT (Network Address Translation) and is used to connect an internal network (usually reserved address space) to an external one (the Internet) by making all connections to external hosts appear to come from the gateway. Replacing destination addresses and ports of incoming packets is used to redirect connections to different hosts and/or ports. A combination of both translations, bidirectional NAT, is also supported.

Translation rules are described in pf.conf(5).

https://gist.github.com/flackend/7c999c943ab46f4bfe34

[anitsh]

socketfilterfw -- Application Firewall daemon

socketfilterfw is a daemon that gets launched on demand when the Application Firewall is enabled. There are also command-line options to change the Application Firewall behavior.

[anitsh]

launchd -- System wide and per-user daemon/agent manager

launchd manages processes, both for the system as a whole and for individual users.

The primary and preferred interface to launchd is via the launchctl(1) tool which (among other options) allows the user or administrator to load and unload jobs. Where possible, it is preferable for jobs to launch on demand based on criteria specified in their respective configuration files.

launchd also manages XPC services that are bundled within applications and frameworks on the system.

During boot launchd is invoked by the kernel to run as the first process on the system and to further bootstrap the rest of the system.

You cannot invoke launchd directly.

FILES ~/Library/LaunchAgents Per-user agents provided by the user. /Library/LaunchAgents Per-user agents provided by the administrator. /Library/LaunchDaemons System-wide daemons provided by the administrator. /System/Library/LaunchAgents Per-user agents provided by Apple. /System/Library/LaunchDaemons System-wide daemons provided by Apple.

launchctl interfaces with launchd to manage and inspect daemons, agents and XPC services.

launchctl allows for detailed examination of launchd's data structures. The fundamental structures are domains, services, and endpoints. A domain manages the execution policy for a collection of services. A service may be thought of as a virtual process that is always available to be spawned in response to demand. Each service has a collection of endpoints, and sending a message to one of those endpoints will cause the service to launch on demand. Domains advertise these endpoints in a shared namespace and may be thought of as synonymous with Mach bootstrap subsets.

Many subcommands in launchctl take a specifier which indicates the target domain or service for the subcommand. This specifier may take one of the following forms:

• system/[service-name] Targets the system domain or a service within the system domain. The system domain manages the root Mach boot- strap and is considered a privileged execution context. Anyone may read or query the system domain, but root privileges are required to make modifications.

• user//[service-name] Targets the user domain for the given UID or a service within that domain. A user domain may exist independently of a logged-in user. User domains do not exist on iOS.

• login//[service-name] Targets a user-login domain or service within that domain. A user-login domain is created when the user logs in at the GUI and is identified by the audit session identifier associated with that login. If a user domain has an associated login domain, the print subcommand will display the ASID of that login domain. User-login domains do not exist on iOS.

• gui//[service-name] Another form of the login specifier. Rather than specifying a user-login domain by its ASID, this specifier tar- gets the domain based on which user it is associated with and is generally more convenient. Note: GUI domains and user domains share many resources. For the purposes of the Mach bootstrap name lookups, they are "flat", so they share the same set of registered names. But they still have discrete sets of services. So when printing the user domain's contents, you may see many Mach bootstrap name registrations from services that exist in the GUI domain for that user, but you will not see the services themselves in that list.

• pid//[service-name] Targets the domain for the given PID or a service within that domain. Each process on the system will have a PID domain associated with it that consists of the XPC services visible to that process which can be reached with xpc_connection_create(3).

For instance, when referring to a service with the identifier com.apple.example loaded into the GUI domain of a user with UID 501, domain-target is gui/501/, service-name is com.apple.example, and service-target is gui/501/com.apple.example.

launchd.plist -- System wide and per-user daemon/agent configuration files

This document details the parameters that can be given to an XML property list that can be loaded into launchd with launchctl.

Daemons or agents managed by launchd are expected to behave certain ways.

A daemon or agent launched by launchd MUST NOT do the following in the process directly launched by launchd: o Call daemon(3). o Do the moral equivalent of daemon(3) by calling fork(2) and have the parent process exit(3) or _exit(2).

A launchd daemon or agent should not perform the following as part of its initialization, as launchd will always implic- itly perform them on behalf of the process. o Redirect stdio(3) to /dev/null.

A launchd daemon or agent need not perform the following as part of its initialization, since launchd can perform them on the process' behalf with the appropriate launchd.plist keys specified.
o Setup the user ID or group ID. o Setup the working directory. o chroot(2) o setsid(2) o Close "stray" file descriptors.

[anitsh]

system_profiler -- reports system hardware and software configuration

system_profiler reports on the hardware and software configuration of the system. It can generate plain text reports or XML reports which can be opened with System Information.app, or JSON reports.

Progress and error messages are printed to stderr while actual report data is printed to stdout. Redirect stderr to /dev/null to suppress progress and error messages.

Examples: system_profiler Generates a text report with the standard detail level.

system_profiler -detailLevel mini Generates a short report containing no personal information.

system_profiler -listDataTypes Shows a list of the available data types.

system_profiler SPSoftwareDataType SPNetworkDataType SPHardwareDataType Generates a text report containing only software and network data.

system_profiler -xml > MyReport.spx Creates a XML file which can be opened by System Profiler.app

[anitsh]

sysctl -- get or set kernel state

The sysctl utility retrieves kernel state and allows processes with appropriate privilege to set kernel state. The state to be retrieved or set is described using a Management Information Base'' (MIB'') style name, described as a dotted set of components.

[anitsh]

ASL – Apple System Log

https://resilience.sh/better-auditing-macos https://asl.readthedocs.io/en/latest

[anitsh]

audit -- audit management utility - NOW DEPRECATED

[anitsh]

Application Layer Firewall

/usr/libexec/ApplicationFirewall/ https://krypted.com/mac-os-x/command-line-alf-on-mac-os-x

[anitsh]

dscl -- Directory Service command line utility

Find users hidden/lost: dscl . list /Users | grep -v '^_'

dscacheutil -- gather information, statistics and initiate queries to the Directory Service cache.

dscacheutil does various operations against the Directory Service cache including gathering statistics, initiating lookups, inspection, cache flush, etc. This tool replaces most of the functionality of the lookupd tool previously available in the OS.

dscacheutil -q user List all users.

[anitsh]

find -- walk a file hierarchy

mdfind -- finds files matching a given query

The mdfind command consults the central metadata store and returns a list of files that match the given metadata query. The query can be a string or a query expression.

mdfind -name "adobe"

[anitsh]

log -- Access system wide log messages created by os_log, os_trace and other logging systems

sudo log show --predicate '(eventMessage CONTAINS "Authentication")' --style syslog --last 1d | less

[anitsh]

taskinfo : Process info

From top, 669 was being called constantly and consuming a lot of CPU.

669   PasswordBreachAg 0.0  00:09.15 5     4   59     3900K  0B    3392K 669  1    sleeping  0[0]    0.00000 0.00000    504 39551    158   39508+    366       286402+ 157177+  283430+   475     37839+   0.0   89865     457195    macmini                N/A    N/A   N/A   N/A   N/A   N/A  

Details about the process:

sudo taskinfo 669
process: "PasswordBreachAgent" [669] [unique ID: 669]
architecture: x86_64
coalition (type 0) ID: 761
coalition (type 1) ID: 762
suspend count: 0
virtual bytes: 4.16 GB; phys_footprint bytes: 3.81 MB; phys_footprint lifetime maximum bytes: 3.82 MB
run time: 338679 s
user/system time    (current threads): 3.033388 s / 6.122702 s
user/system time (terminated threads): 0.000368 s / 0.000474 s
interrupt wakeups: 39069 (37867 / 96.92% from platform idle)
default sched policy: POLICY_TIMESHARE
CPU usage monitor: 50% CPU over 180 seconds
CPU wakes monitor: 150 wakes per second (over system-default time period)
dirty tracking: tracked idle-exit clean
boosts: 0 (0 externalized)
requested policy
        req apptype: TASK_APPTYPE_DAEMON_BACKGROUND
        req role: TASK_UNSPECIFIED (PRIO_DARWIN_ROLE_DEFAULT)
        req qos clamp: THREAD_QOS_UNSPECIFIED
        req base/override latency qos: LATENCY_QOS_TIER_UNSPECIFIED / LATENCY_QOS_TIER_UNSPECIFIED
        req base/override thruput qos: THROUGHPUT_QOS_TIER_UNSPECIFIED / THROUGHPUT_QOS_TIER_UNSPECIFIED
        req darwin BG: NO  
        req internal/external iotier: THROTTLE_LEVEL_TIER0 (IMPORTANT) / THROTTLE_LEVEL_TIER0 (IMPORTANT)
        req darwin BG iotier: THROTTLE_LEVEL_TIER2 (UTILITY)
        req managed: NO
        req other: 
        req suppression (App Nap) behaviors: 
effective policy
        eff role: TASK_UNSPECIFIED (PRIO_DARWIN_ROLE_DEFAULT)
        eff latency qos: LATENCY_QOS_TIER_UNSPECIFIED
        eff thruput qos: THROUGHPUT_QOS_TIER_UNSPECIFIED
        eff darwin BG: YES
        eff iotier: THROTTLE_LEVEL_TIER2 (UTILITY)
        eff managed: NO
        eff qos ceiling: THREAD_QOS_USER_INITIATED
        eff qos clamp: THREAD_QOS_UNSPECIFIED
        eff other: low-priority-cpu (4) bg-newsockets 
imp_donor: NO
imp_receiver: NO
pid suspended: NO
adaptive daemon: NO (boosted: NO)

Checking which process started it

ps -p 669 -lx | less
  UID   PID  PPID        F CPU PRI NI       SZ    RSS WCHAN     S             ADDR TTY           TIME CMD
  504   669     1     4004   0   4  0  4364232   6920 -      S                   0 ??         0:09.27 /Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/PasswordBreachAgent

Changed terminal CLI env to bash sudo chsh -s /bin/bash

Execution top was giving error: error opening terminal: xterm-256color solved it by export TERM=xterm

Resource

• [ ] https://discussions.apple.com/thread/250873047