Security, IT
Jason MIller
EDR Testing and Evaluation is a PITA
General, Security
Jason MIller
If you don’t have IAM(Identity Access ...

IAM (Identity and Access Management) is important because it helps organizations control who has access to their resources, and what actions those users can perform. This is essential for maintaining the security and integrity of sensitive data, and for complying with regulatory requirements. IAM also makes it easier for organizations to manage user access across multiple systems and services, and to quickly revoke access when necessary. Additionally, IAM enables organizations to implement a "least privilege" model, where users only have the permissions they need to do their jobs, which can help prevent accidental or malicious breaches.

If you don’t have IAM(Identity Access Management system) get one!
Culture
Jason MIller
Angry, hurt, and sad

Black lives matter and these are a few of my thoughts

Image credit:[George Floyd’s Death At The Hands Of Police Is A Terrible Echo Of The Past: Code Switch: NPR](https://www.npr.org/2020/05/29/865261916/a-decade-of-watching-black-people-die)

Angry, hurt, and sad
Recaps, General
Jason MIller
2018 A year in review

A 2018 review of my year.

General
Jason MIller
Be wary when traveling

Github

Penn State MacAdmins 2015

 

Penn State MacAdmins conference was last week. Over 600+ MacAdmins traveled from all over the world to discuss and share knowledge regarding OS X. This was my first year at PSU MacAdmins so I did not know what to expect. With that said I found this conference to very informative and collaborative. 

The first day there were five workshop's for attendees to choose from:

  • Apple Workshop
  • Fundamentals of Wi-Fi(or, Arguing with Physics)
  • Packaging Workshop
  • All Things Security
  • Introduction to Cocoa Development and Reverse Engineering on OS X

All great workshops but I choose the Packaging Workshop. This was of particular interest to me because I did not know how an installer should actually look and behave. This workshop explained did a great job of explaining how packages should look and behave. In addition to this information there were helpful tips with hands on packaging experience in the GUI and on the command line. The workshop had some of the following topics and suggested a few applications: 

There was also scripting and Stupid packaging tricks recommendations. This was by far one of the most helpful sessions for me all conference. I did not have a strong background with this particular topic but after this workshop I feel more than confident in my ability to exam and build proper applications packages for deployment. 

There were a plethora of amazing sessions all week long. Check out the schedule http://psumac2015.sched.org. Some of my favorites were:

  • Integrating AutoPKG and the Casper Suite with the JSSImporter
  • To 12,00 Macs and beyond....
  • Administering Office 2016 for Mac
  • It's Dangerous to Go Alone, Take This!
  • Automated Testing with VMware Fusion
  • The 12 Unix Commands Everyone Should Know
  • OS X Operating System Security at Scale
  • Using AutoPKG for Windows Software
  • Open (and/or Free) vs Closed Source - Steel Cage Death Match
  • Using Google's Open Source Tools to Manage Macs

The list is too long to list all the other sessions that I enjoyed because I could not attend them all. But something interesting occurred during this conference, crowd sourcing notes with Google Docs. I have always wondered why more people are not using crowd sourcing note taking.  It could allow you to be in multiple places at once or the ability to review the notes at the end of the day. Slack was the primary driver when organizing notes for most of the sessions and EVERYONE seemed to be on board with the idea. Many times before a session would be begin someone would place a link to the notes in #PSUMAC slack channel to allow note collaboration. 

Slides and video's will be released at a later on PSU Mac Admins website and on youtube but for those who people want to immediately review this was the perfect medium. Slack brought people who weren't even at the conference into the conversation adding input regarding topics or peering into the notes, causing further interest about all of the talks and topics. Here is a Google Docs Collection links from the notes taken by everyone at PSU Mac Admins 2015:

One particular theme that I heard constantly whether in the packaging workshop, sessions or during general conversations at Legends, automation is key. There are plenty of tools that can help you automate very simple and complex task during your day. If you have not heard of autopkg, please go and read the github page.. It interfaces with many of the tools you use everyday, and will take the mundane task of patching & deploying applications out of your hands. Automate your VMs with vfuse by Joseph Chilcote or with Rich Trouton's session on virtualization testing. The theme was your time is precious as a Mac admin, therefore save time where you can which will free your mind to accomplish more challenging tasks. 

I do want to give a thank you to Penn State Mac Admins Conference, Penn Stater, and for all the individuals who attended or interacted with community during the conference. I can't wait for PSU Mac Admins 2016! See you then and thank you again for the best week of Summer Camp. 

Pf logging

In my previous post, PF for me PF for you, I went over how to utilize PF in your environment. One thing that I did not discuss was logging with PF. When PF is enabled, it does not log any of the pass in or blocks for the system. You can obtain the statistics on how well your firewall rules are performing by utilizing the following command:

pfctl -s info

Here is an example of the output:

Output of pfctl -s info. Giving you a listing of how effective is your firewall ruleset. 

But, let's say you wanted to collect more data to output to your log aggregator or just to the internal syslog to investigate;  how would you set this up?  Essentially, we want to create a text file  of traffic, things we block, or things we allow in - otherwise, we are flying blind. There are a few steps to set up logging on the system. (I have included the steps for set up on my Github as well.)

First, enable the syslogging of local2:

echo -e "# gather PF log data\nlocal2.*\t\t\t/private/var/log/pf.log" >> /etc/syslog.conf

Next, create the actual log file and change the permissions on the file:

touch /private/var/log/pf.log
chmod 640 /private/var/log/pf.log 
chown root:wheel /private/var/log/pf.log
killall -HUP syslogd

Next, set up a tcpdump from /dev/pflog0 to syslog:

cat >/usr/local/bin/pflog.sh <<END
#!/bin/sh
/sbin/ifconfig pflog0 create
/usr/sbin/tcpdump -lnettti pflog0 | /usr/bin/logger -t pf -p    local2.info
END

Then, change permissions on the the tcpdump logging:

chown root:wheel /usr/local/bin/pflog.sh
chmod 555 /usr/local/bin/pflog.sh

Next, create a launch daemon that will ensure pf is started at boot and is running:

cat >/Library/LaunchDaemons/name of.plist < 

<key>Label</key>                <string>pflog</string>        <key>ProgramArguments</key>
            <array>
                    <string>/usr/local/bin/pflog.sh</string>
            </array>
    <key>Disabled</key>             <false/>
    <key>RunAtLoad</key>            <true/>
    <key>KeepAlive</key>            <true/>

END

Change Permissions:

chown root:wheel /Library/LaunchDaemons/nameof.plist
chmod 444 /Library/LaunchDaemons/nameof.plist

Finally, this step switches the pfctl launch Daemon to start fully rather than enabled on demand.  Add in the -e option into the ProgramArguments array inside of /System/Library/LaunchDaemons/com.apple.pfctl.plist
 

<key>ProgramArguments</key>

 <array>
    <string>pfctl</string>
    <string>-ef</string>
    <string>/etc/pf.conf</string>

Once all of this is in place then check to see if pf is running:

launchctl list | grep pf

Load the pf log plist:

launchctl load -w /Library/LaunchDaemons/nameof.plist

Then, check to ensure that pf log is now running:

launchctl list | grep pf