Be wary when traveling

🛩 🚎 🚆

During this holiday season, people will travel by bus, boat, car, or plane to visit friend and family. While this is the time to turn off work and re-charge your batteries not everyone is afforded that luxury. If you are not afforded that luxury or feel so inclined that you need to use a work or personal device while in such a public space, please use your devices with caution.

Public spaces are precise as stated public. Many people hop on public wifi

  • Airport
  • Bus
  • Train
  • Coffee Shop

First I will address working in these spaces. If possible just don’t do it. The risk associated with connecting to the wrong network, someone shoulder surfing your screen, Laptop or Tablet are high. A simple glance by a stranger they could see a confidential email, spreadsheet, or presentation. While most people are just curious and harmless, traveling themselves to see family and friends, because you don’t know the people involved why risk leaking data accidentally. If you must work, there are mitigation’s to help keep your company and personal data safe.

  • VPN
  • Privacy Screen
  • Adjust Screen Brightness
  • Limit work/browsing session

Virtual Private Network(VPN) is a critical piece of software to ask your IT department to implement or for access if you travel. At a high level, a VPN will help provide encryption of data leaving and coming to your machine. This is important because VPN can make it harder for a malicious individual to view information going or coming into your device.

A privacy screen will help reduce the shoulder surfaces from viewing your screen. Privacy screens make your screen hard to see from certain angles. A privacy screen will not protect every viewing angle but will protect most. Computers today are smart enough to adjust the lighting of your display in comparison with the ambient light in the room. While this is great when you are at home or in the office, dimming your screen will reduce a person’s ability to eavesdrop on your screen.

Keeping your brightness at 50% or less will help protect you. Lastly, limit the type of things you work on in public. Can the presentation about financials or HR related topics wait until you are your destination? Think of the fallout of having someone report seeing that information to your company or worst the media.

Non-sensitive email or research/searching are some of the items safe to check in public places. Meaning checking out cnn.com without logging into your account, or ESPN.com for sports news without logging into your account. Never log into any service while on public wifi. Lastly, not managing payroll, updating Github repos, checking bank statements are particular items to skip while traveling or on untrusted networks. Finally, as safe browser tip is ensuring all websites you visit are HTTPS. While HTTPS does not guarantee a website is it safe it is better than visiting any site that is HTTP. HTTPS Everywhere, by the EFF, is a great tool to help with this.

There are multitudes of other items that you could do to keep yourself safe. But the things I have listed out are just a start. Don’t have someone looking at your sales pitch, potential client list or talking points, or access to any financial information during this holiday season.

The light amount of information I have provided is helpful to a point. Choosing a VPN service or privacy screen can be troublesome. I will say I am a fan of 3M privacy screen with tabs. Tabs allow you to remove the privacy screen at your leisure, say sharing a screen during a meeting or once you get to your final destination. A VPN service is a bit more challenging. There is a multitude of things to be worried about with VPN, where are the servers located, are they really encrypting your data, how many devices can I use, connection speed, plus a plethora of other topics. I do not have a suggestion, but I will say it never hurts to do a bit of light reading:

Articles for reading:

Safe travels Cheers✌🏽

Win the day: Evolve

My involvement with the Mac community is about to hit double digits. One of the reasons why I love the community is it indeed feels like a community. Individuals are getting together to support one another knowing that the IT department for specific companies is a single individual or a collection of individuals. No matter the size of the team or the skillset of the person, the community is always willing to try to offer the best solution in which the team can use manager here in now. Still leaving room for people to grow. The same community is also there as a sounding board when it feels like everything is going wrong. Lastly, when it is time for a change the community is there to help support that change. While I have been primarily involved with the community via Macbrained and speaking at Mac conferences, I have noticed over the last few years a difference with chatting at times with the community. Endpoint management and ideologies around how to manage the Apple ecosystem are abundant.

A trend with Mac the administration is if your organization has enough resources Jamf Pro was the tool, but depending on your needs it could require custom code to effectively manage your fleet. If a company was requiring IT be scrappy,(my favorite IT term by management) Jamf Pro usually wasn’t an option therefore Munki is the tool of choice. Lastly, for those companies who had a team of Endpoint engineers usually deployed tools like Puppet or Chef. All of the previously listed tools are great options depending on the make and composition of your team and company. While the Mac management tools may not be as old as Active Directory, the tools at all of our disposals are more than capable of managing our fleets. Depending on the size on an administrators company a Mac administrator may have to manage Windows. The choice is usually not to manage Windows or barely support Windows, due to a lack of experience or a claim of Windows isn’t better. This is always a matter of opinion but, one that I would like to address.

Administrators of macOS usually do not work on Windows or Windows Administration. I say usually as some do not care and for those admins this is not for you, I think. A comment I’ve heard before is “Windows administrators just don’t get it. Mac is different.” While this rings true on the surface, if you start to dig deeper into the last statement, I know it does not ring true. At it’s core Windows and Mac environments are endpoints. Both operating systems have management tools which perform modifications to ensure a device is compliant based on a companies requirements. Both platforms have advantages depending on an individuals role and responsibility. We all know the finance loves Windows. But many Mac administrators either refuse or are not comfortable or willing enough to take the leap into Windows management. They are not interested with Windows management because they do not know the environment or unsure of who, what, where, and why of Windows management. Well I am here to say Mac Endpoint Engineers, need to come out of the dark and learn how to manage Windows on a miminal level.

Part of evolving and becoming a better administrator is taking on new and challenging tasks or projects. Learning Windows administration will frustrate, challenge, enlighten, prove some similarities in managing both operating systems. Managing Windows is very challenging as the amount of ways to apply a setting are vast. The amount of Windows logging alone is overwhelming. Even though Windows management does require a different skill set, managing the endpoint keeps the same philosophy as Mac management. Over my next few posts, I will begin to show how managing Windows is eerily similar to managing Macs. I hope to provide guidance to Mac administrators who have to manage windows or Mac admins who want to embrace Windows in their environment. It’s time for evolution of the Mac admin.

Macad.UK

Hello All,

It's been a while since we've last spoke. Since we have last spoke I have changed jobs, added a new member to the family, and graduated with a degree in Securing Information Systems. Needless to say, I have been busy. Upcoming in the next month, I have been granted the privilege of presenting at MacAD.UK 2017 in London. I will be presenting on a topic I have written about previously PF Firewall on OS X. My blog has a few post about for those would like to become familiar with the material. I am looking forward to spending time with people I don't know, people I know, and exploring another country. Here is the conference and all the great learns that will come.

Here is a link to the website and the schedule. See you soon London. 

PSU Macadmins Conference 2016

PSU MacAdmins is a great conference for MacAdmins across the world to come together to talk about issues that are happening in the Mac world. This year I have the privilege to speak at the conference on a topic that I have blogged about previously Packet Firewall (PF). The talk is similar to the one I gave at MacTech 2015, with updated slides and an example of how to use the ELK stack (Elastisearch, Logstash, Kibana) to build a dashboard of pf.log data. Visualization provides a quick glance at pf data or can provide enough information to determine how often an IP address are hitting all of your clients. Here is the slide deck. 

Links:
How Packet Firewall (PF) Can Protect Your Enterprise(PSUMac 2016)

 

pf.anchor

I have started to talk a bit more about PF in a broad sense. Over the course of my talks or general discussion it has been brought to my attention that people would like to see a sample pf.anchor. Well I have posted on my github a sample of pf.anchor.

Please not that when you place the file inside of pf.anchor you will do some following items in order for it to be successful

  1. Create a com.yourcompany within the pf.anchors folder
  2. Ensure the pf.conf file is set to read all the anchors within pf.anchors
  3. TEST

Here are the samples of both the pf.conf and pf.anchor files along with the link to Github. Happy Trails
#Default PF configuration file.
#

# This file contains the main ruleset, which gets automatically loaded
# at startup.  PF will not be automatically enabled, however.  Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8).  That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically 
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"

scrub-anchor "com.jason"
nat-anchor "com.jason"
rdr-anchor "com.jason"
dummynet-anchor "com.jason"
anchor "com.jason"
load anchor "com.jason" from "/etc/pf.anchors/com.jason"

This is the beginning of the pf.anchor file, which is read by pf.conf

#Macros
tcp_services = "{ rfb }"
casper_ssh = "{ ssh }"
casper_filerep = "{ 443 }"
casper_comms = "{ 8443 }"
udp_services = "{ rfb }"
icmp_types = "{ echorep, echoreq, timex, unreach }"

#Tables
#list out hosts to allow for whitelisting of "our" services

#table <block_hosts> persist
#table <dont_log_block_host> persist
#table <private> const { 10/8 172.16/12 192.168/16 224/8 }
#table <martians> const { 127/8 10/8 172.16/12 192.168/16 169.254/16 240/4 0/8 192.2.0.2/24 }

#Cyber Security Scanners
#table <whitelist_host> persist { \
        129.8.64.0/24 \
        150.342.46.291/27 \
#}

#Your Services
#table <yourhosts> persist { 821.6.14.24 123.4.5.987 198.33.45.11 128.4.98.103 198.7.128.193 100.3.28.14}
#           821.6.14.24      \ #Casper Server
#        123.4.5.987      \ #Bigfix production service
#        198.33.45.11        \ #Test server for Casper infrastructure
#        128.4.98.103       \ #jFuture management server
#        198.7.128.193       \ #Casper Software Repo
#        100.3.28.141       \ #Future management server

#table <bigfix> persist { 123.4.5.987  }

#these are added in if we need to allow SSH via OTP on a client device. 
#table <otp> const { 281.4.56.43 }      

#ssh.server.corp = 113.56.78.987
#otp.example.corp = 281.4.56.43

#Rules Created by "You"

#disable all filtering on loopback, possible Vmware nets
set skip on {lo,vmnet}

#block all inbound traffic
block in log all

#allow out the tcp and udp traffic
#pass in log proto tcp from <yourhosts> to port $tcp_services 
#pass in log proto udp from <yourhosts> to port $udp_services
#pass in log proto udp from <bigfix> to port $bigfix_udp 
#pass in log quick proto tcp from <otp> to port $casper_ssh
#pass in log quick proto udp from <otp> to port $casper_ssh
#pass in log proto tcp from <yourhosts> to port $casper_ssh
#pass in log proto udp from <yourhosts> to port $casper_ssh
#pass in log proto tcp from any to port $casper_comms
#pass in log proto tcp from <yourhosts> to port $casper_filerep

#Allow whitelist hosts
#pass in log from <whitelist_host> to any

#Allow Your Service hosts
#pass in log from <yourhosts> to any

#Allow control traffic from LBL router
#pass in proto igmp from router_ip_here allow-opts

#ICMP traffic allowed to be passed in
pass in log inet proto icmp icmp-type $icmp_types
#We specified the address family 'inet' because it is required by pf when specifing icmp type

#Trust all outbound
pass out all keep state

#James has these in his pf.conf files to do not log these, but we can take them out if necessary     
block in proto { tcp, udp } to port { 137:139, 17500 }
block in proto { tcp, udp } to port 631 #ipp - printers

JNUC 2015 - Day 3

On Thursday was the last day of the JNUC 2015. There were quite a few talks lined up along with a couple of panels. The talks that grabbed my attention were:

  • Integrating & Automating Your Help Desk Ticketing
  • Security Matters: Making Infosec Your Friend
  • Simplifying Complex Management Infrastructures
  • Security Panel/VPP & DEP Panel

There were a multitude of other talks that grabbed my attention but alas I can only be in one place at a time. Integrating & Automating Your Help Desk Ticketing was an interesting talk. The takeaways from this talk were:

  • Develop Automation
  • Automation is proactive when done right
  • Use APIs from Casper and your Ticketing system

I had a few conversations with people about this talk and some have done this an automated even further. They assign the ticket to an technician with all the appropriate information, so there is no need to decide who will complete each newly created task.

The infosec talk caused many users to think differently about how you deal with your infosec team. At times Macadamias only think of things in terms of what we need to do in order to patch or repair a machine. If you talk or create a relationship with your infosec team you will learn about their worries or concerns on OS X.

  • Spotlight EULA, which sends results to Microsoft BING
  • Bluetooth Vulnerabilities
  • Setting EFI Password to protect machines
  • Using FileVault
  • Adobe FLASH
  • Web Browsers, keeping them up to date
  • Network Layer Attacks

By having open conversations with your infosec team you can collaborate, reduce frustrations, and provide a more secure environment for your users and employer.

Simplifying Complex Management Infrastructure provided great examples of how you can take your environment no matter the size and manage it using the Casper Suite. That is management of OS X servers and knowing all the information about what is installed, Software Updates, or updating software. OS X admins have servers located in many locations and sometimes basic updates from OS X server are not enough. The Casper Suite can provide inventory information and can automate server management tasks.

I hoped between both panels but they provided great information about each particular topic. People were able to submit questions via JAMFNation, Twitter, or in person via a JAMFer. The twitter hash tags are:

  • JNUCSecurity
  • JNUCVPP
  • JNUCDEP

Lastly, the conference ended with a wrap up session where people talked shop, said their goodbyes, and finished their conference questions for speakers. It was a great time in Minneapolis for the JNUC. Can't wait for next 2016.

JNUC 2015 - Day 2

Today, the JNUC was filled with very entertaining talks. The day started off with a talk from the team at IBM, discussion the integration of 30,000K Macs. It was quite impressive to see a deployment at such scale. During the talk IBM talked about Workstation-as-a-Service (WaaS), which is an interesting approach to defining your workstation infrastructure. IBM is deploying 1,900 Macs a week, with a support staff of 24, and still growing. 98.7% of their Mac tickets are solved on first call in attempt. The folks who are working on the Mac deployment at IBM are very passionate about the product and the people they serve. IBM is leveraging DEP for their OS X clients which gives them the ability to:

  • Printed Welcome Insert (inside of Macbook Boxes)
  • Self Service (Only location for Mac Applications)
  • Users are ADMINS on their workstations
  • NO Active Directory

Check out the article about their presentation:

Mac@IBM, Zero to 30,000 in 6 months

This was a great presentation about Culture and how Macs work at IBM, think user first and build backward.

A highly entertaining and informative talk was Ben Toms, Let's Talk About Certificates. Ben reviewed:

  • PKI
  • SCEP
  • CSR
  • APNS
  • Root and Intermediary CAs

It was quite informative and even had the appearance of a few plumbers. Watch the video when it is released.

Lastly, I went to a talk about Make Your JSS Feel New with the Help of API. It was a great talk and provided great examples of why you want to start over with a new JSS and how to automate the process of migrating JSS framework in under 30 minutes.

Day two was great and I will share more on day three later.

JNUC 2015 - Day 1

I am writing today from JNUC 2015, in Minneapolis, MN. JNUC stands for Jamf Nation User Conference. It's a 3-day conference centered around everything Casper Suite. JAMF Software model is "Helping the enterprise succeed with the Apple platform." This motto greatly aligns with my personal vision for helping an IT organization. Over 1,500 people have come from all over the world to share the experiences with Casper Suite, Casper Focus, and Composer. I am excited to be afforded the opportunity to share, explore, and learn about new ways to utilize the software. Today there were talks on System Integrity Protection, by Rich Trouton, JAMF Software Security, and Vulnerability Assessments, by Daniel Mayer, and Novel Solutions with JAMF IT, by Byron Terrell of JAMF Software. The agenda had plenty of other talks, but those were the three that caught my eye and attention. For a complete listing of talks navigate to the JNUC 2015 Sessions schedule.

One final note, I attended a talked "Culture Matters: Casper Suite for People Who Fear Going Corporate." This was an interesting talk because it centered around the idea of managing a people who aren't used to be being managed. It is an interesting idea of how to get everyone "on board" while ensuring IT is ensuring a safe environment. Four statements stood out from the talk:

  • Things they'll be able to do
  • Things we'll be able to do
  • Things we won't be able to do
  • What will they say at lunch?

These are all value points to consider when dealing with any users/staff/engineers etc...When managing or providing services to client devices ensure you explain the top three items and think about what people are saying about your service during lunch because it may not be the right thing.

Lastly, Macbrained threw an awesome, or what I think was awesome, event at Day Block Brewery. Well Over 140 people showed up to have beers, food, and great conversation centered around tech and life. As a disclaimer I do help organize the Macbrained events. Overall it was a great day and I look forward to all the sessions and conversations on day 2.

OS X Admin Playing with Windows

Oh Windows, you are thou heartless....No, it really isn't but as a Macadmin who spends most of my time on an OS X boxes mixed in with other Unix/Linux OS, Windows Server can seem strange. Windows Server does have command line options however, they expectation is for Admins to use the GUI to configure services or roles. For those who are interested in the Command Line options take a look at Powershell. This is Microsofts recommendation for interacting with Windows Server via the command line. While on Unix/Linux systems you configure via the terminal. Using the GUI has been a huge shift for me, not to mention just knowing some of the nuisances of Windows Server 2012. Windows have changed and made Server Manager much more powerful than the versions in Windows 2008.

Lucky for me that during the setup of my groups Windows Server, I was simultaneously enrolled in a Windows Server configuration course. The course afforded me an opportunity to gain a better understanding of new features and settings Windows in Server 2012. During the setup, I did have concerns about the setup of the Server. Standard Windows configurations would have admins join a domain, which will apply the necessary settings in order to protect the system. But what do you do if you are not joining it to a domain and letting it be a stand alone server?

Things that I thought about were:

  • Local Security Policy
  • Remote Desktop Services
  • Windows Firewall

Local Security Policy is loaded with different Windows Settings that need to be changed or left alone. The different categories to think of are:

  • Account Policies
  • Local Policies
  • Windows Firewall with Advanced Security
  • Network List Manager Policies
  • Public Key Policies
  • Software Restriction Policies
  • Application Control Policies
  • IP Security Policies on Local Computer
  • Advanced Audit Policy Configuration

I have yet to find a comprehensive list of suggestive settings but Microsoft does have resources on their TechNet site which help administrators with this topic:

These are just a few resources I used in order to help configure a Windows Server, however, there are many other resources. If someone has a list of best practices for setting up a Windows Server it may be worthwhile to create a document for the masses at large. Not all Macadmins touch or deal with Windows Server on a regular basis, however, if it would be good to have a guide to help navigate the Windows Waters. At times, I still feel lost but it is a matter of knowing my limitations and finding the correct resources to help solve my problem.

Deploying a EULA with the Casper Suite

Recently I spoke at the JAMF Road Show in San Francisco on the basics of the Casper Suite. During this talk I reviewed OS X and iOS management of the Casper Suite. I described the different ways an organization can utilize the suite to accomplish their goals and give their admins their weekends and time back. I also discussed how we are having users sign a EULA and why we had not figured out how to deploy the EULA with Casper. Because I am working on deploying a couple hundred iPads within my fleet, I needed to determine a way to deploy a EULA with Casper. After digging around the JSS (Jamf Software Server) I found out how to deploy a custom EULA with the Casper Suite. The web interface does not blatantly tell you how to customize the EULA, but it does hint that it can be done. I will now describe how to locate and modify the enrollment page, which will support a custom EULA.  

First, login to your JSS and navigate to the settings tab, which is the blue gear in the upper right hand corner. Once there click on:

  1. Global Management
    then
  2. User-Initiated Enrollment

Where is the Eula?

The first screen the admin will see is the User-initiated Enrollment. This will provide four options:

  • General
  • Messaging
  • Platforms
  • Access

Each section will aid the end user in enrolling your management tool. The general section contains the following:

  • Restrict re enrollment
  • Skip certificate installation during enrollment

In order to create a customize EULA, click on the second tab labeled Messaging. 

Four tabs to rule them all

Once you select the Messaging tab, you will be presented with the Language box that says English. The view button is the key to deploying a customized EULA and enrollment environment. 

Eula, enrollment text, and more oh my!

The first option you have to customize the enrollment title page, Page Title for Enrollment.

https://yourjss.com:8443/enroll

There are ten categories:

  • Login
  • Device Ownership
  • EULA
  • Sites
  • Certificate
  • Institutional MDM Profile
  • Personal MDM Profile
  • QuickAdd Package
  • App for Android
  • Complete

Login lets you customize everything on the login page:

  • Login Page Text
  • Username Text
  • Password Text
  • Login Button Text

Login Page

The next tab is the Device Ownership. This page will help the user determine what type of device they will be enrolling.  This will also determine the level of control you will have as the administrator.

Device Ownership

The next tab is why we are all here today. FINALLY THE EULA. This section is where you can add your customized text from your legal or IT departments. The EULA terms will vary depending on if the device is personally or institutionally owned. If this was the only section you needed then you can skip the rest of the post; however, there are more options you can customize.

Ladies and Gentleman the main event, the EULA. 

The next three slides allow you to customize:

  • Sites
  • Certificate
  • Institutional MDM Profile
  • Personal MDM Profile

I would not recommend changing this text as there are a lot of system defaults here that may explain the purpose of the profiles and certificates in better detail. 

The Quickadd Package tab may be a tab you want to edit if you are granting technicians or users the ability to self-enroll OS X devices. The Quickadd Package Installation Text has the default text

Download and install this package

It wouldn't hurt to potentially add a bit more context about the installation package. Downloading and installing this package is great; however, the message could also read

Download and install this package that will grant access to the VPN, Wifi, and E-mail.

VPN, WiFi, and Email tend be the sticking points for a lot of people so what better way to draw people in than to tell them they can gain access to all this by installing one package?

OS X Customization

If you plan on deploying Android devices with the Casper Suite then there is a section that allows you to customize that text.

Droids

The last customizable portion of this section is the completion page. You can edit successful and failed installation messages. Instead of the standard contact for your administrator you can direct them to call the help desk or open a ticket. 

Game over

The last two tabs are:

  • Platforms
  • Access

The Platforms tab allows you to select what kind of devices can be enrolled with user-initiated enrollment. If you would like to allow enrollment of OS X, iOS, or Android devices then ensure you check all the correct boxes.

The Access tab allows certain or all LDAP groups to enroll devices and determines what types of devices.

Options for platform enrollment

Deploying a customizable EULA is very easy with the Casper Suite. If your organization requires this before devices can be enrolled (whether they are institutional or personal) then it is an option. I will say that just because this option is available does not mean it is necessary. Make sure you weigh the cost and benefits of changing the verbiage when devices are enrolled. Every time a rule is modified the EULA may need to be updated, which means you must be in the loop with legal or IT about policy change. 

Penn State MacAdmins 2015

 

Penn State MacAdmins conference was last week. Over 600+ MacAdmins traveled from all over the world to discuss and share knowledge regarding OS X. This was my first year at PSU MacAdmins so I did not know what to expect. With that said I found this conference to very informative and collaborative. 

The first day there were five workshop's for attendees to choose from:

  • Apple Workshop
  • Fundamentals of Wi-Fi(or, Arguing with Physics)
  • Packaging Workshop
  • All Things Security
  • Introduction to Cocoa Development and Reverse Engineering on OS X

All great workshops but I choose the Packaging Workshop. This was of particular interest to me because I did not know how an installer should actually look and behave. This workshop explained did a great job of explaining how packages should look and behave. In addition to this information there were helpful tips with hands on packaging experience in the GUI and on the command line. The workshop had some of the following topics and suggested a few applications: 

There was also scripting and Stupid packaging tricks recommendations. This was by far one of the most helpful sessions for me all conference. I did not have a strong background with this particular topic but after this workshop I feel more than confident in my ability to exam and build proper applications packages for deployment. 

There were a plethora of amazing sessions all week long. Check out the schedule http://psumac2015.sched.org. Some of my favorites were:

  • Integrating AutoPKG and the Casper Suite with the JSSImporter
  • To 12,00 Macs and beyond....
  • Administering Office 2016 for Mac
  • It's Dangerous to Go Alone, Take This!
  • Automated Testing with VMware Fusion
  • The 12 Unix Commands Everyone Should Know
  • OS X Operating System Security at Scale
  • Using AutoPKG for Windows Software
  • Open (and/or Free) vs Closed Source - Steel Cage Death Match
  • Using Google's Open Source Tools to Manage Macs

The list is too long to list all the other sessions that I enjoyed because I could not attend them all. But something interesting occurred during this conference, crowd sourcing notes with Google Docs. I have always wondered why more people are not using crowd sourcing note taking.  It could allow you to be in multiple places at once or the ability to review the notes at the end of the day. Slack was the primary driver when organizing notes for most of the sessions and EVERYONE seemed to be on board with the idea. Many times before a session would be begin someone would place a link to the notes in #PSUMAC slack channel to allow note collaboration. 

Slides and video's will be released at a later on PSU Mac Admins website and on youtube but for those who people want to immediately review this was the perfect medium. Slack brought people who weren't even at the conference into the conversation adding input regarding topics or peering into the notes, causing further interest about all of the talks and topics. Here is a Google Docs Collection links from the notes taken by everyone at PSU Mac Admins 2015:

One particular theme that I heard constantly whether in the packaging workshop, sessions or during general conversations at Legends, automation is key. There are plenty of tools that can help you automate very simple and complex task during your day. If you have not heard of autopkg, please go and read the github page.. It interfaces with many of the tools you use everyday, and will take the mundane task of patching & deploying applications out of your hands. Automate your VMs with vfuse by Joseph Chilcote or with Rich Trouton's session on virtualization testing. The theme was your time is precious as a Mac admin, therefore save time where you can which will free your mind to accomplish more challenging tasks. 

I do want to give a thank you to Penn State Mac Admins Conference, Penn Stater, and for all the individuals who attended or interacted with community during the conference. I can't wait for PSU Mac Admins 2016! See you then and thank you again for the best week of Summer Camp. 

The Google Docs

Mobile technology is growing ever so powerful. We all knew how powerful it was however the amount of functionality developers are drawing off of their software and hardware is astonishing. The Google Suite of apps is ever changing however on the mobile side they are constantly adding features and functionality similar to their suite within the browser. With that said, let me tell you about the time I decided to write a paper on my iPhone 5s while commuting home using Google Docs. 

Technology grow's in leaps and bounds. It quickly changes day by day, month by month, and year by year. I have been long time Google Docs users however it is not the primary place I go to for document creation. I tend use Evernote, Letterspace, or just a plain text file if I need to jot down a quick note. Depending on the device in my hand,  it determines my writing volume. Currently I am working on getting a B.A. in, Information Systems with a concentration in cyber security, and on Monday I happened to have a paper due, which I had been struggling to get my ideas down on virtual paper. On Monday, I thought if I leave work at my normal time I will arrive home at decent time and finish my paper. As I arrived at the BART station I could hear and see my train pulling off, WITHOUT ME! Instead of freaking out, I now know I would be behind schedule I thought to myself why not start the paper while I wait for the next train, in 20 mins. Because my commute home would be well over 90 mins, I thought it best to begin finalizing my paper. 

I rarely use my laptop while on BART due to you never know who is around you. Living in San Francisco I have seen many laptop, iPad, and iPhone stolen because people were too immersed in their system and not their surroundings.  This left my iPhone as the tool I would use to write, edit, and finalize this paper. Previously I used Google Docs on the iPhone and quickly realized it was missing many of the capabilities I am accustomed to on my laptop. But because my options were limited I thought what the hell why not give it a shot. Let's just say after commuting for two hours I was able to complete an entire paper, share it out for editing, while highlighting and editing the color of the document. Thanks to Google Docs I was able to complete my task all during my commute home without batting and eye. 

The power that many people have right at there fingertips is quite amazing. The mere fact that I could create a document, share it, and the post it all from my phone is simply amazing. No longer do we need to provide users with some computer that has max ram, and cpu. With proper training and use cases we may able to allow users similar productivity to their pc, packed into their  mobile device. Google Docs, Evernote, Letterspace, and other editable document platforms allow users and IT folks alike the flexibility of quickly documenting a process, environment, or just notes all with thumbs.  

Freeradius and OTP

People often wonder how they can harden their OS X environment. There are many methods and tools that can be used to harden a system. Most admins live and die by SSH; however, for those who are not seasoned with SSH it can be a daunting task.

To help protect weak passwords you can set up your OS X infrastructure to use One Time Password (OTP). Here is a the internet standard surrounding OTP. Depending on your environment the prerequisites for setting up OTP on a machine may vary, but you will need these at minimum:

  • OTP Server
  • Auth Module
  • OS X System
  • Static Address
  • Shared Secret

I actually utilize FreeRADIUS pam auth module, version 1.3.17, in this write up. Version 1.3.17 has some bugs, thus the reason I had to write up how I was able to utilize the buggy version. FreeRADIUS has released version 1.4, which is suppose to address the problems in 1.3.17. For those who have not updated or seen 1.4 you can use this write up to get the 1.3.17 module working. 

The first thing to do is download version 1.3.17 from https://github.com/FreeRADIUS/pam_radius. Then, unzip the file and move the folder onto your Desktop. Before you run the Make command, there are some edits that need to be made to Makefile and the pam_radius_auth.c file. If you try to compile without making the edits then this error will occur:

" pam_radius_auth.c:358:23: error: variable has incomplete type 'struct timezone’:

      struct timezone tz;

To counter this error you must change line 358:23 you must add in the follow lines above the struct timeval tv;

struct timeval {
 time_t tv_sec;
 suseconds_t tv_usec;
 };
struct timezone {
 int tz_minuteswest;
 int tz_dsttime;
 };

It should look like the following screenshot:

After this edit your code should be able to compile however what I found if you system is considered newer you will need run a different GCC command in order to compile correctly. The error you receive when running the make command without making a change to the Makefile is:

ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so

In order to combat this you must edit the Makefile. Within the Makefile there is a section called Build Shared Library. Inside of Build Shared Library it states “On systems with a newer GCC, you will need to do:" gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so". You will want to uncomment out the code for gcc.

Next copy gcc line and run it in your terminal but with a -v flag at the end:

gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so

The output of the command should look like the following:

Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld" -demangle -dynamic -dylib -arch x86_64 -macosx_version_min 10.10.0 -syslibroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk -o pam_radius_auth.so pam_radius_auth.o md5.o -lpam -lc -lSystem /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib/darwin/libclang_rt.osx.a

ou will need to copy this section of code and enter it into your terminal. Once it completes, run the make command, which should result in a correct compile.

After these steps you will now have a complete and function pam_radius_auth.so. Half of OTP setup is now is complete.

Next, you will need to edit the proper configuration files, move the pam_radius_auth.so into the proper location, and test.

Configuration Files Editing

Navigate to /etc/sshd_config. Only lines that need to be edited inside of the file are the following:

Some lines maybe yes or no, you want to ensure they look like the previous image. 

After that you will need to move pam_radius_auth.so file into its correct place "/usr/lib/pam". Next navigate to “/etc” and create pam_radius.conf file or utilize one with the pam_radius.conf that was located in the zipped pam_radius folder on your desktop. Inside of the .conf file you will be specifiy the information about your OTP server. The information you will need to procure from your identity management or cyber team are:

  • server
  • shared_secret
  • timeout

Here is an example of the file. I would leave your localhost there, as the conf file indicates and add your infrastructure below the localhost.

Next you will need to edit the "/etc/pam.d/sshd". This file will tell your system where to find your pam_radius.conf. It also dictates which .so files to use for pam authorization. A non edited conf file will have nothing commented out. You will need to add in the line 5 into your file.

Using free radius, my file looks like the following:

Once you have all these items in place I would reboot the system and test OTP to ensure authentication is working properly. During testing, remember to have the console open on the device you are setting up OTP on in order to provide possible insight into any errors

If you have any questions please do not hesitate to comment to drop me a line info @ jasonkmiller.com or jason @ jasonkmiller.co

Terminal and Sophos for me

Recently, I have played around with Sophos and the command line tools that come with the product. If we, as sysadmins, can script the updates, installations, and scans of systems without interrupting the user, then everyone is happy. The user is not disrupted and sysadmins are compliant in protecting our users and organization. 

There are plenty of scripts written by people and documentation provided by Sophos to perform silent installations and uninstallations of Sophos Anti-Virus. Sophos has the process documented on their support page. Here is a sample of the some of the commands that you can use to uninstall the product:

This will uninstall unmanaged versions

sudo /Library/Application\ Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer --remove

This will uninstall managed versions

9.x

sudo /Library/Application\ Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer --remove

9.1x

sudo /Library/Application\ Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

Knowing  this information is great if you want to uninstall Sophos via the command line because a user cannot find the Remove Sophos Antivirus stored in:

/Library/Sophos\ Anti-Virus/Remove\ Sophos\ Anti-Virus.app/

For those who would like to automate this process you can utilize a script written by Rich Trouton.

Another handy tool that Sophos includes with their product is a command line tool. This tool details:

  • Version
  • Virus data version
  • Virus definitions
  • Perform Scans

These are just a few options that one can utilize on the command line. The Sophos binary is:

/usr/bin/sweep

Here are some options that you can run from the command line:

-sc [*] : Scan dynamically compressed executables
-f [ ] : Full scan
-extensive [ ] : Scan complete contents of files
-di [ ] : Disinfect infected items
-s [*] : Run silently (do not list files swept)
-c [*] : Ask for confirmation before disinfection/deletion
-b [*] : Sound bell on virus detection
-all [*] : Scan all files
-rec [*] : Do recursive scan
-remove [ ] : Remove infected objects
-dn [ ] : Display file names as they are scanned
-ss [ ] : Don't display anything except on error or virus
-eec [ ] : Use extended error codes
-ext=extension,.. : Specify additional extensions to SWEEP
-p= : Write to logfile
-idedir= : Read IDEs from alternative directory
-exclude : Exclude the following objects from scanning
-include : Include the following objects in scanning
-v : Display complete version information
-vv : Display complete version information and details on
-h : Display this help and exit

The command line tool will also let you scan inside compressed files. If your organization utilizes Sophos as the corporate Anti-virus, I would suggest automated scans of the system, compressed files, adware/PUAs, especially after Apple released their Adware documentation.  The binary also allows an administrator to perform scans on extensions that may not be as common or included within a Sophos scan. Finally, being able to determine the Sophos Version & Virus definition version can help with reporting and enforcing the latest patches on your client machines.  

Pf logging

In my previous post, PF for me PF for you, I went over how to utilize PF in your environment. One thing that I did not discuss was logging with PF. When PF is enabled, it does not log any of the pass in or blocks for the system. You can obtain the statistics on how well your firewall rules are performing by utilizing the following command:

pfctl -s info

Here is an example of the output:


Output of pfctl -s info. Giving you a listing of how effective is your firewall ruleset. 

But, let's say you wanted to collect more data to output to your log aggregator or just to the internal syslog to investigate;  how would you set this up?  Essentially, we want to create a text file  of traffic, things we block, or things we allow in - otherwise, we are flying blind. There are a few steps to set up logging on the system. (I have included the steps for set up on my Github as well.)

First, enable the syslogging of local2:

echo -e "# gather PF log data\nlocal2.*\t\t\t/private/var/log/pf.log" >> /etc/syslog.conf

Next, create the actual log file and change the permissions on the file:

touch /private/var/log/pf.log
chmod 640 /private/var/log/pf.log 
chown root:wheel /private/var/log/pf.log
killall -HUP syslogd

Next, set up a tcpdump from /dev/pflog0 to syslog:

cat >/usr/local/bin/pflog.sh <<END
#!/bin/sh
/sbin/ifconfig pflog0 create
/usr/sbin/tcpdump -lnettti pflog0 | /usr/bin/logger -t pf -p    local2.info
END

Then, change permissions on the the tcpdump logging:

chown root:wheel /usr/local/bin/pflog.sh
chmod 555 /usr/local/bin/pflog.sh

Next, create a launch daemon that will ensure pf is started at boot and is running:

cat >/Library/LaunchDaemons/name of.plist <

<key>Label</key>                <string>pflog</string>        <key>ProgramArguments</key>
            <array>
                    <string>/usr/local/bin/pflog.sh</string>
            </array>
    <key>Disabled</key>             <false/>
    <key>RunAtLoad</key>            <true/>
    <key>KeepAlive</key>            <true/>

END

Change Permissions:

chown root:wheel /Library/LaunchDaemons/nameof.plist
chmod 444 /Library/LaunchDaemons/nameof.plist

Finally, this step switches the pfctl launch Daemon to start fully rather than enabled on demand.  Add in the -e option into the ProgramArguments array inside of /System/Library/LaunchDaemons/com.apple.pfctl.plist
 

<key>ProgramArguments</key>

 <array>
    <string>pfctl</string>
    <string>-ef</string>
    <string>/etc/pf.conf</string>

Once all of this is in place then check to see if pf is running:

launchctl list | grep pf

Load the pf log plist:

launchctl load -w /Library/LaunchDaemons/nameof.plist

Then, check to ensure that pf log is now running:

launchctl list | grep pf

PF for me PF for you

Recently I have been tasked with expanding the firewall on OS X. By default the Application firewall is enabled on most devices as a standard safety procedure. Nothing is wrong with the Application firewall Apple included in OS X but, my infrastructure required something a bit more robust. If you would like more reading about the OS X: Application firewall, click this link, which is the official blurb from Apple.

I did not have a laundry list of settings,. If anything, my settings were based on the output of nmap scans. OS X now ships with PF, the OpenBSD Packet Filter. PF allows administrators to tightly control the packet firewall on a device however, it is primarily a terminal-based configuration. There is a GUI application for it but, I found it easier to work with terminal and vi for configuration.

When determining your firewall philosophy you should ask yourself whether your default allows everything or does you default block everything? If yous default allows everything then you must decide what to block. This list could be excruciating to navigate because there are 65,535 ports. If your default blocks everything then this allows an administrator to only open ports that are truly needed.

Personally, I choose to go with the default block route, only opening the specific ports that my organization and users need in order to conduct business. Before implementing my rules I researched and read information to ensure I had a strong grasp of PF. I Googled the topic and also read The Book of PF. I highly recommend the book if you are going to start utilizing PF. After reading this book I was able to build a proper rule-set.

The first thing to do is to learn how to turn on and off the pf firewall. It does need elevated or root privileges to enable and disable.

Enable PF
pfctl -e

Disable pf
pfctl -d

The next thing is to determine where to place your configurations. I would suggest not placing the file in the pf.conf file located in /etc/ but to create an anchor within the /etc/pf.anchor directory. I advise this because Apple update could undo your changes

If you look at the contents within that /etc/pf.anchors there is a com.apple. If you look at the contents of the pf.conf file it tells pf to read rules from the pf.anchor directory.  Because of this I believe it is best to create an anchor and have pf.conf read my anchor.

As I stated earlier I decided to go with the default to block all traffic into the machine, while logging all blocked traffic.
block in log all

I wanted to allow certain types of traffic from certain hosts. I decided to utilize macros and tables within my anchor. OpenBSD documentation defines macros as " user-defined variables that can hold IP addresses, port numbers, interface names, etc. Macros can reduce the complexity of a PF rule-set and also make maintaining a rule-set much easier." In the same documentation a table is defined as " used to hold a group of IPv4 and/or IPv6 address. Looks against a table are very fast and consume less memory and processor time than lists."  With a better understanding of how macros and tables are used I decided to use macros for ports and tables for hosts. A rule could potentially look like this:

table <host_list> persist { 123.4.456.789 }

Only add persist or const to your table if you need a persistent or constant connection. 

When building my rule-set I defined each port which its on macro. I also created many different tables for my collection host.  I explicitly labeled my macros and tables. I did this because I create in my anchor file each rule line corresponds to a single macro and a single table. This helps because when pf has a command where you can print out your rule-set in plain english. It tends to put everything in perspective and allows everyone to easily see what is being allowed and not allowed within your config.

Print plain English pf rules:
pfctl -sr

Here is an example:


pass in log proto tcp from <host> to any port = 5900 flags S/SA keep state
pass in log proto udp from <host> to any port = 5900 keep state
pass in log quick proto tcp from <otp> to any port = 22 flags S/SA keep state
pass in log proto tcp from <host> to any port = 22 flags S/SA keep state
pass in log proto udp from <host> to any port = 22 keep state


Lastly pf has a syntax parser. This parser will give you the line the error has occurred on and if the rule-set was loaded. I would highly recommend users run this command prior to trying to enable a rule-set.

Parse Rule-set:
pfctl -nvf /etc/pf.conf

Here is an example of the output of this command:

/etc/pf.conf:53: syntax error

Pf is a powerful tool, that admins can use to secure the workstations in their environment or secure there servers. I took about two days of reading and playing around within terminal to get a strong grasp on Pf. Logging in Pf is interesting because there is not logging. You must setup the logging which I will cover in a later post.

Does anyone in the community utilize Pf?  If so in what way? If not, what is stopping you?

If you would like more in depth information about Pf please do not hesitate to contact me.