Security, IT
Jason MIller
EDR Testing and Evaluation is a PITA
General, Security
Jason MIller
If you don’t have IAM(Identity Access ...

IAM (Identity and Access Management) is important because it helps organizations control who has access to their resources, and what actions those users can perform. This is essential for maintaining the security and integrity of sensitive data, and for complying with regulatory requirements. IAM also makes it easier for organizations to manage user access across multiple systems and services, and to quickly revoke access when necessary. Additionally, IAM enables organizations to implement a "least privilege" model, where users only have the permissions they need to do their jobs, which can help prevent accidental or malicious breaches.

If you don’t have IAM(Identity Access Management system) get one!
Culture
Jason MIller
Angry, hurt, and sad

Black lives matter and these are a few of my thoughts

Image credit:[George Floyd’s Death At The Hands Of Police Is A Terrible Echo Of The Past: Code Switch: NPR](https://www.npr.org/2020/05/29/865261916/a-decade-of-watching-black-people-die)

Angry, hurt, and sad
Recaps, General
Jason MIller
2018 A year in review

A 2018 review of my year.

General
Jason MIller
Be wary when traveling

Terminal and Sophos for me

Recently, I have played around with Sophos and the command line tools that come with the product. If we, as sysadmins, can script the updates, installations, and scans of systems without interrupting the user, then everyone is happy. The user is not disrupted and sysadmins are compliant in protecting our users and organization. 

There are plenty of scripts written by people and documentation provided by Sophos to perform silent installations and uninstallations of Sophos Anti-Virus. Sophos has the process documented on their support page. Here is a sample of the some of the commands that you can use to uninstall the product:

This will uninstall unmanaged versions

sudo /Library/Application\ Support/Sophos/opm-sa/Installer.app/Contents/MacOS/InstallationDeployer --remove

This will uninstall managed versions

9.x

sudo /Library/Application\ Support/Sophos/opm/Installer.app/Contents/MacOS/InstallationDeployer --remove

9.1x

sudo /Library/Application\ Support/Sophos/opm/Installer.app/Contents/MacOS/tools/InstallationDeployer --remove

Knowing  this information is great if you want to uninstall Sophos via the command line because a user cannot find the Remove Sophos Antivirus stored in:

/Library/Sophos\ Anti-Virus/Remove\ Sophos\ Anti-Virus.app/

For those who would like to automate this process you can utilize a script written by Rich Trouton.

Another handy tool that Sophos includes with their product is a command line tool. This tool details:

  • Version
  • Virus data version
  • Virus definitions
  • Perform Scans

These are just a few options that one can utilize on the command line. The Sophos binary is:

/usr/bin/sweep

Here are some options that you can run from the command line:

-sc [*] : Scan dynamically compressed executables
-f [ ] : Full scan
-extensive [ ] : Scan complete contents of files
-di [ ] : Disinfect infected items
-s [*] : Run silently (do not list files swept)
-c [*] : Ask for confirmation before disinfection/deletion
-b [*] : Sound bell on virus detection
-all [*] : Scan all files
-rec [*] : Do recursive scan
-remove [ ] : Remove infected objects
-dn [ ] : Display file names as they are scanned
-ss [ ] : Don't display anything except on error or virus
-eec [ ] : Use extended error codes
-ext=extension,.. : Specify additional extensions to SWEEP
-p= : Write to logfile
-idedir= : Read IDEs from alternative directory
-exclude : Exclude the following objects from scanning
-include : Include the following objects in scanning
-v : Display complete version information
-vv : Display complete version information and details on
-h : Display this help and exit

The command line tool will also let you scan inside compressed files. If your organization utilizes Sophos as the corporate Anti-virus, I would suggest automated scans of the system, compressed files, adware/PUAs, especially after Apple released their Adware documentation.  The binary also allows an administrator to perform scans on extensions that may not be as common or included within a Sophos scan. Finally, being able to determine the Sophos Version & Virus definition version can help with reporting and enforcing the latest patches on your client machines.  

Pf logging

In my previous post, PF for me PF for you, I went over how to utilize PF in your environment. One thing that I did not discuss was logging with PF. When PF is enabled, it does not log any of the pass in or blocks for the system. You can obtain the statistics on how well your firewall rules are performing by utilizing the following command:

pfctl -s info

Here is an example of the output:

Output of pfctl -s info. Giving you a listing of how effective is your firewall ruleset. 

But, let's say you wanted to collect more data to output to your log aggregator or just to the internal syslog to investigate;  how would you set this up?  Essentially, we want to create a text file  of traffic, things we block, or things we allow in - otherwise, we are flying blind. There are a few steps to set up logging on the system. (I have included the steps for set up on my Github as well.)

First, enable the syslogging of local2:

echo -e "# gather PF log data\nlocal2.*\t\t\t/private/var/log/pf.log" >> /etc/syslog.conf

Next, create the actual log file and change the permissions on the file:

touch /private/var/log/pf.log
chmod 640 /private/var/log/pf.log 
chown root:wheel /private/var/log/pf.log
killall -HUP syslogd

Next, set up a tcpdump from /dev/pflog0 to syslog:

cat >/usr/local/bin/pflog.sh <<END
#!/bin/sh
/sbin/ifconfig pflog0 create
/usr/sbin/tcpdump -lnettti pflog0 | /usr/bin/logger -t pf -p    local2.info
END

Then, change permissions on the the tcpdump logging:

chown root:wheel /usr/local/bin/pflog.sh
chmod 555 /usr/local/bin/pflog.sh

Next, create a launch daemon that will ensure pf is started at boot and is running:

cat >/Library/LaunchDaemons/name of.plist < 

<key>Label</key>                <string>pflog</string>        <key>ProgramArguments</key>
            <array>
                    <string>/usr/local/bin/pflog.sh</string>
            </array>
    <key>Disabled</key>             <false/>
    <key>RunAtLoad</key>            <true/>
    <key>KeepAlive</key>            <true/>

END

Change Permissions:

chown root:wheel /Library/LaunchDaemons/nameof.plist
chmod 444 /Library/LaunchDaemons/nameof.plist

Finally, this step switches the pfctl launch Daemon to start fully rather than enabled on demand.  Add in the -e option into the ProgramArguments array inside of /System/Library/LaunchDaemons/com.apple.pfctl.plist
 

<key>ProgramArguments</key>

 <array>
    <string>pfctl</string>
    <string>-ef</string>
    <string>/etc/pf.conf</string>

Once all of this is in place then check to see if pf is running:

launchctl list | grep pf

Load the pf log plist:

launchctl load -w /Library/LaunchDaemons/nameof.plist

Then, check to ensure that pf log is now running:

launchctl list | grep pf

PF for me PF for you

Recently I have been tasked with expanding the firewall on OS X. By default the Application firewall is enabled on most devices as a standard safety procedure. Nothing is wrong with the Application firewall Apple included in OS X but, my infrastructure required something a bit more robust. If you would like more reading about the OS X: Application firewall, click this link, which is the official blurb from Apple.

I did not have a laundry list of settings,. If anything, my settings were based on the output of nmap scans. OS X now ships with PF, the OpenBSD Packet Filter. PF allows administrators to tightly control the packet firewall on a device however, it is primarily a terminal-based configuration. There is a GUI application for it but, I found it easier to work with terminal and vi for configuration.

When determining your firewall philosophy you should ask yourself whether your default allows everything or does you default block everything? If yous default allows everything then you must decide what to block. This list could be excruciating to navigate because there are 65,535 ports. If your default blocks everything then this allows an administrator to only open ports that are truly needed.

Personally, I choose to go with the default block route, only opening the specific ports that my organization and users need in order to conduct business. Before implementing my rules I researched and read information to ensure I had a strong grasp of PF. I Googled the topic and also read The Book of PF. I highly recommend the book if you are going to start utilizing PF. After reading this book I was able to build a proper rule-set.

The first thing to do is to learn how to turn on and off the pf firewall. It does need elevated or root privileges to enable and disable.

Enable PF
pfctl -e

Disable pf
pfctl -d

The next thing is to determine where to place your configurations. I would suggest not placing the file in the pf.conf file located in /etc/ but to create an anchor within the /etc/pf.anchor directory. I advise this because Apple update could undo your changes

If you look at the contents within that /etc/pf.anchors there is a com.apple. If you look at the contents of the pf.conf file it tells pf to read rules from the pf.anchor directory.  Because of this I believe it is best to create an anchor and have pf.conf read my anchor.

As I stated earlier I decided to go with the default to block all traffic into the machine, while logging all blocked traffic.
block in log all

I wanted to allow certain types of traffic from certain hosts. I decided to utilize macros and tables within my anchor. OpenBSD documentation defines macros as " user-defined variables that can hold IP addresses, port numbers, interface names, etc. Macros can reduce the complexity of a PF rule-set and also make maintaining a rule-set much easier." In the same documentation a table is defined as " used to hold a group of IPv4 and/or IPv6 address. Looks against a table are very fast and consume less memory and processor time than lists."  With a better understanding of how macros and tables are used I decided to use macros for ports and tables for hosts. A rule could potentially look like this:

table <host_list> persist { 123.4.456.789 }

Only add persist or const to your table if you need a persistent or constant connection. 

When building my rule-set I defined each port which its on macro. I also created many different tables for my collection host.  I explicitly labeled my macros and tables. I did this because I create in my anchor file each rule line corresponds to a single macro and a single table. This helps because when pf has a command where you can print out your rule-set in plain english. It tends to put everything in perspective and allows everyone to easily see what is being allowed and not allowed within your config.

Print plain English pf rules:
pfctl -sr

Here is an example:

pass in log proto tcp from <host> to any port = 5900 flags S/SA keep state
pass in log proto udp from <host> to any port = 5900 keep state
pass in log quick proto tcp from <otp> to any port = 22 flags S/SA keep state
pass in log proto tcp from <host> to any port = 22 flags S/SA keep state
pass in log proto udp from <host> to any port = 22 keep state

Lastly pf has a syntax parser. This parser will give you the line the error has occurred on and if the rule-set was loaded. I would highly recommend users run this command prior to trying to enable a rule-set.

Parse Rule-set:
pfctl -nvf /etc/pf.conf

Here is an example of the output of this command:

/etc/pf.conf:53: syntax error

Pf is a powerful tool, that admins can use to secure the workstations in their environment or secure there servers. I took about two days of reading and playing around within terminal to get a strong grasp on Pf. Logging in Pf is interesting because there is not logging. You must setup the logging which I will cover in a later post.

Does anyone in the community utilize Pf?  If so in what way? If not, what is stopping you?

If you would like more in depth information about Pf please do not hesitate to contact me.
 

Sleep eludes me

This post will be different from my normal posts. As someone who lives and breathes everything technology-related I definitely enjoy trying new tech tools. Advanced health metrics is a very important topic to me. Having the ability to track my physical activities is exciting. Exercise affects your overall health and being active for at least thirty minutes a day is key to staying healthy. I enjoy walking and cycling from time to time and having an application track these metrics is vital to me. I have used a few apps to track my exercise regimen:

Another component of maintaining good health is getting adequate sleep. Feeling rested is key in successfully performing my job on a day to day basis but, I am a light sleeper and wake up at the slightest noise or light. Having an analysis of what keeps me up, how often I wake up in the middle of the night, or when I am restless is helpful. Although Fitbit is one device that offers informative sleep data within their application the data does not provide enough detail as to WHY I am restless or awake during the night.

&nbsp;My Fitbit Analysis using the iOS App.

 My Fitbit Analysis using the iOS App.

So I came across something called Hello Sense. Sense attempts to diagnose your sleep surroundings. According to Hello’s webpage, Sense is "a simple system that tracks your sleep, monitors the surroundings in your bedroom and reinvents the alarm, so you can sleep better." (https://hello.is) Hello will have applications for both iOS and Android OSes. Sense has the following technologies built into the pill:

  • Microphone
  • Ambient Light Sensor
  • Temperature and Humidity Sensors
  • Particulate Sensor
  • Speaker
&nbsp;Photo Credit: Hello.is twitter.com/hello

 Photo Credit: Hello.is twitter.com/hello

The tech inside the pill can help diagnose and change the way people look at sleep analytics. I enjoy when new tech comes out that has the chance of improving one’s lifestyle. What other new tech do you use or want to use in your daily life?

 

Mic check 1, 2, 1, 2

There are plenty of open source projects out in the wild that are built on a variety of platforms. Github, BitBucket and Mercurial. Open source projects rely on these services because they are able to version control their code. Version control has some of the following benefits:

  • Archive successive versions of source-controlled items
  • Maintain detailed history and version information
  • Collaborate on projects
  • Recover from accidental deletions or errors

Deploying version control within an organization can a help staff produce efficient and stable code. It allows everyone to view, comment, and edit code before it hits production servers. Many times when people write code,  normally the code works well on their system and maybe on a few of their test systems, but in an environment that has hundreds or thousands of nodes it is important to fully test every potential system your code will touch. This leads to the another important component of writing code Documentation.

Documentation is something that is lacking in most I.T. departments. Technicians deploying systems usually feel pressed to roll out a service or finish a project so they can move onto the next item on their agenda. Versioning will allow technicians to document every change. Co-workers can follow the logic that went into developing a code base. Documentation can also help save you when having to restore or update services. I.T. professionals move at a lightening pace and it helps if you store helpful hints for yourself or team. For those co-workers who need to motivation of why to document, Rich Trouton, gave a presentation at Mactech Conference about documentation that is worth a read. 

Open source projects that utilize these tools allow anyone who is interested in a project to provide and enhance code. For example, the Autopkg project, is an automated preparation of software to be deployed to OS X clients. This project was created because there is a need to  automate software updates for applications. The creators of the tool started a repository that users can pull updates for certain applications. However, they set up the application framework which enables anyone to create "recipes" and contribute to the project. Autopkg code lives all on Github, which allows for collaboration on a global scale. 

Because of the popularity of Autopkg another open source project, based upon Github and version control, is Autopkgr. This open source project is a GUI wrapper for Autopkg. Due to version control the creators of Autopkgr are able to allow anyone to help modify the code to help benefit the community. 

Lastly if you are looking to set up a code sync, the Client Platform Engineering (CPE) team at Facebook, has opened sourced some of their code sync tools. In addition users can use some of these other tools to help with versioning and checking code:

These are not the only or definitive list of versioning, editing, or checking code but just a start. 

Here are some questions I have for you:

  • Do you version control your code?
  • What do you use to version control your code?
  • How to implement version control?
  • If you are currently not using version control do you see yourself implementing version control?

Just some food for thought. 

We are stronger as a Whole

Macbrained's November meeting was held at Salesforce. This meet up was a bit different from the events we've held previously. Normally we have a guest speaker talk about a topic of their choice, then we network. This time around we still networked however we held to panels: General I.T. and Security. We took questions from the the community via Google Moderator and Macbrained FB page. Here is a sample of the questions the community submitted:

  • AV Software on a Mac, is it there for legit reasons, or just for compliance?
  • What are the top security threats for OS X right now?
  • Binary white listening is becoming a thing on OS X, rolling it to a mac user base is likely to cause bigger waves than a Windows based userbase that is used to having restricted rights etc. Anyone have a plan?
  • What type of aggregate syslog collection/analysis is everyone using?

These are some of the questions that were answered during the panel. There were followers on Twitter who chimed in with responses as well. Answers consisted of AV is for compliance more than protection, check out Google Santa Open Source program, and users should attempt to utilize Facebooks OS Query

Communities help expose people to resources to help them accomplish their goals and gives people a chance to give back. Those goals can entail scripting, new ideas of how to implement or solve a problem, someone to bounce ideas off of, or just someone to lean on. 

Do you belong to any communities? Do you give back to the open source community? Here are some images from the Macbrained November Meet-Up. 

Security Panel, General I.T. Panel, and the Macbrained Family 

I Survived Conference Season

The last half of the year for me is conference season. Normally, I have four conferences that I attend:

They are all quite interesting and amazing in their own way. I am constantly asked, "Is it really worth your time?" I always tell people that it depends on what you are trying to accomplish by going to a conference. When I attend the conference I intend to:

  • Network

  • Discover new topics

  • Learn new methods to solve current and new problems

  • Obtain a mental refresh

During conferences I am able to do accomplish a lot of things including meeting some of the brightest people in the industry, meeting people who encounter the same issues as me and learning about new software or hardware. Attending these conferences also allows me to recharge my batteries and gain different insight. People can develop lifelong friendships and career opportunities while attending a conference.

If you are unable to attend any of these conferences the hosts usually posts videos via Youtube. You can spend a day or two watching the videos and obtain a lot of the same information.

YouTube Channels:

However, not all conferences allow their content to be posted. Mactech and Defcon do not post their sessions on YouTube but, you can order the sessions from MacTech and torrent the Defcon sessions and presentations. Another great resource tech's can utilize are other technicians blogs. Many times there will be a few wrap up posts on tech's blogs that will detail the conference experience. Which conferences did you attend? Did you find them worthwhile?

Here are some images from some of the conferences I attended this year. 

  


Hackathon

User communities are really important to me. It is like a tight nit village of people who want to see one another succeed and are willing to help whoever comes into village. Macbrained had a community event called a Hackathon. We tasked people to create a tool that the community will benefit from and is open source. There were some amazing entries into the competition. The group that won were the members from the Linde Group. They created a tool called autopkgr, which is a GUI application for autopkg. For those who don't like the terminal or scripting, autopkgr has nice automation tools built-in, that can make the life of a sysadmin a bit easier. It was a great event at Square Up who have an amazing space in downtown San Francisco. I again recommend user groups for those trying to get into the field because there are plenty of people who are willing to teach. Which user groups do you belong to?

The Linde Group &amp; Autopkgr

The Linde Group & Autopkgr

The Travel Guys &amp; Radar

The Travel Guys & Radar

Midnight Marauders &amp; IT Health Manager&nbsp;

Midnight Marauders & IT Health Manager 

Macbrained & Evernote

Evernote....Eernote California Remember Everything

In my post last week I talked about finding a user group that can help you and allow you to contribute to the group as well. Well I went to an event on Wednesday March 6th with the user group called Macbrained.

We were lucky enough to have Evernote sponsor our get together. For those of you who do know what Evernote is, it is a note taking application, on iOS, Android, Windows, and OSX. It does way more than take notes but that is one of the core features of the application. I use Evernote on a daily basis for work, school, and personal business. If you have not had a chance to check it out I would suggest heading over to their site and checking it out. 

On this night the subject of conversation revolved around autopkg + jss importer tool. These tools are open source projects that help a sys admin and client platform engineers life easier because it allows you to download dmgs that automatically get imported into your JSS. Autopkg helps a you download installers from companies like Google, Firefox, Adobe, and Java without having to visit a website, and it is scriptable. Galen Richards from Evernote provided us with insight into how he utilizes both tools and explained how you can implement them in your environment if you please.

Once the Galen had finished demonstrating how to use autopkg + jss importer tool people are begin to socialize with other friends, colleagues, and newly met individuals about work, life, and anything technology related. User groups are a great way to get involved in your community to educate yourself and set up a support network.

Which User Groups do you belong to?

The Co-Found Arek Sokol and Galen Richards the Presenter

This was the question box. Very cool by Catch Box

The Assembly

#In the beginning there was code

I have been using Apple computers since the Apple II. I remember playing a game called Stellar 7 on my mac. I had no idea what an Apple computer was or what were it's capabilities. All I knew is my dad bought one and said we this is our new computer. My dad was a security guru during this time so I just assumed this was great tool for him to work with and a great toy for me.

Fast forward quite a bit and I find myself using a Mac for my daily computing while maintain hundreds of Apple systems for my job. Being a sys admin can be fun, challenging and irritating all at the same time. As a new sys admin I do find myself lost at times with system maintenance or troubleshooting certain problems. One of my best friends during some of the troubling times has been the terminal. Another best friend has been the World Wide Web, naming Google's search engine. There are plenty of Windows Admins out there but they out number the Mac Admins. Well I'm here to let all the beginner admins know you are not alone in your journey to be a Mac sysadmin. There are plenty of resources out there to help in your day to day activities. In addition to the day to day help resources there are people and tools that will help you succeed in the future. Here are some resources that I utilize in my journey to master my craft of being a Mac Sys Admin.

Books: 

Reading takes time, effort, and energy but it is one of the best ways to gain knowledge about a particular subject. I am a huge advocate of picking up a book/ebook and reading it for general knowledge on a subject. While reading I use Evernote to take notes digitally. This method allows me to access my notes no matter where I am, which helps when you need a reminder about a particular topic.

Two books that I have relied on in my earlier years of learning Unix/Linux as well as Unix shell scripting are:

User groups: 

Macbrained.org is a bay area OSX and iOS user community

Macbrained.org is a bay area OSX and iOS user community

User groups are your best friend. This gives you a chance to network with people of from all skillsets and backgrounds. This is also an opportunity for you to learn and ask questions to solve some of your problems. You will also find that you knowledge base is larger than you think. You may end up solving someone's problem without even realizing it. It will also provide an outlet to ask questions via a forum or blog for the group. This will help solve or answer some of your day to day inquiries. The user group that I spend the most time with is an organization called Macbrained. It is an amazing collection of individuals who just want to help make peoples lives easier.

Twitter:

Twitter's micro blogging site is full of information if you use the search feature. During this search you may find a user to follow who has useful information. People post answers to problems, research, and lots of information on twitter. These links usually point back to their website or blog which you can use as another source of information in helping you advance your skills.

In my journey to becoming a better sys admin I put the pressure on myself to take the time to seek out the proper resources and education. One thing I have learned in the last two years about technology is that you must educate yourself. If you do not own your education you will get left behind. Technology changes so rapidly that we as techs must take ownership of mastering our craft. You own your destiny, so make sure you set yourself up for success.