• Home
  • Articles
  • Tools
  • Support


Mac Security - Feature Implementation

Pfctl packet filter

  • A BSD Linux carry over, packet filters are the selective passing or blocking of data packets as they pass through a network interface.
  • The configured network filters inspect packets based on the Layer 3 (IPv4 and IPv6) and Layer 4. Criteria is source and destination address,
  • source and destination port, and protocol.
  • The directory for security applications on Mac would be within /etc/pf.anchors/ for custom rules for packet filter.
  • The command pfctl -u <-filter-> would affect the system filter operation.
  • For reference, Apple actually includes a system daemon invoking pfctl in /System/Library/LaunchDaemons/com.apple.pfctl.plist.
  • Reference for OSX packet filter

Gatekeeper and Quarantine tag

  • Gatekeeper performs security checks in order to grant execution on a host - Code signing, file type, quarantine status, download status, etc
  • Gatekeeper relies on the quarantine tag applied to all internet downloads as part of its operation checks.
  • File Quarantine-enabled applications opt users into File Quarantine protection by adding the LSFileQuarantineEnabled key to their Info.plist, Safari being one example.
  • However the wget and curl utilities in fact do not apply the quarantine status to downloded internet files.
  • While we can inspect a files source and quarantine tag with "xattr -l" (see below), running this on a file sourced with "curl <-internet file link-> -o <-file->"
  • will result in no quarantine attribute applied, and no gatekeeper run on execution.
  • Red Canary Gatekeeper Bypass Article

    • QuarantineAttribute

    • Plist daemon startup points

    • The Apple Mac OSX system uses property file lists as a program setting file. It contains properties and configuration settings.
    • They are commonly binary format with XML structure and therefore are read using "plutil -p f.plist" and edited with "plutil -insert key -string value f.plist"
    • Modified plists can act to trigger nefarious launch daemons by placing them in "/System/Library/LaunchDaemons/" and "/Library/LaunchDaemons/" directories.
    • While applications are restricted with Mac system security, binaries such as sliver binary are not.

    Universal Log

    • Mac universal log captures much of the activity on the OSX system
    • It can be interogated with the log show command "sudo log show --last 1m"
    • To show current events we use the stream command, and to show certain system component logging predicate filtering is used.
    • sudo log stream --debug --predicate 'subsystem=="com.apple.sharing" and category=="AirDrop"'