Apple platform security

Mac security feature implementation

Apple Macbook security features.

ScopemacOS controls and artefacts
FocusFiltering, quarantine, plist startup, logs
FormatTechnical article layout

Pfctl packet filter

Packet filtering in macOS provides selective passing or blocking of network traffic as it traverses an interface. This section reframes the original notes into a cleaner technical summary with the same content focus.

  • Packet filters inspect traffic against Layer 3 and Layer 4 criteria such as source and destination addresses, ports, and protocol.
  • Custom packet-filter rules for security applications are commonly maintained under /etc/pf.anchors/.
  • Administrative use of pfctl directly affects filter operation and policy loading on the host.
  • Apple includes a system daemon invoking packet-filter handling through /System/Library/LaunchDaemons/com.apple.pfctl.plist.
  • Reference for macOS packet filter configuration

Gatekeeper and quarantine tag

Gatekeeper performs execution checks on macOS by evaluating signing, file origin, type and quarantine state. The original material also highlights the importance of quarantine tagging for downloaded content.

  • Gatekeeper relies on quarantine metadata applied to internet downloads as part of its trust decision process.
  • Applications can opt into File Quarantine protection by using the LSFileQuarantineEnabled key in their Info.plist.
  • Utilities such as wget and curl may not apply quarantine attributes to downloaded files.
  • Inspecting file attributes with xattr -l can reveal whether quarantine metadata exists before execution.
  • Red Canary article on Gatekeeper bypass patterns
macOS quarantine attribute example
Example visual showing quarantine attribute inspection, placed as a larger inline figure to keep the article flow clean.

Plist daemon startup points

Property list files act as configuration stores across macOS and can also become persistence points when abused. This section restructures the original notes into a more readable explanation of launch daemon risk.

  • Plists are commonly binary or XML-backed configuration files and can be parsed with commands such as plutil -p f.plist.
  • They can be modified with commands such as plutil -insert key -string value f.plist.
  • Malicious persistence may be introduced through files placed in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/.
  • While application controls restrict some execution paths, standalone binaries may still provide a route for abuse.
  • Related example: sliver binary

Universal Log

The macOS Universal Log captures a large amount of host activity and provides valuable telemetry for investigations. The examples below are retained conceptually but presented in a neater research-page format.

  • The log can be interrogated with commands such as sudo log show --last 1m.
  • Streaming current events is possible with the log stream command.
  • Predicate filtering can isolate activity from specific subsystems or categories.
Example predicate
sudo log stream --debug --predicate 'subsystem=="com.apple.sharing" and category=="AirDrop"'