Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== MacOS ====== ===== Useful commands ===== * List open listening ports <code> netstat -pant | grep LISTEN # to also have the program name sudo lsof -i -P | grep -i "listen" </code> ===== Remove quarantine attr ===== <code> xattr -d com.apple.quarantine /path/to/file </code> ===== WIFI ===== Get last connected wifi: <code> defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences |grep LastConnected -A 7 </code> ===== Read logs on macOS ===== log can be used with --json, --syslog or --ndjson Read sudo log: <code> log show --last 1d --predicate 'process == "sudo" and eventMessage contains "TTY="' </code> Look at read accesses: <code> log show --last 10h --predicate 'processImagePath contains "kernel" and senderImagePath contains "Sandbox" and eventMessage contains "file-read-xattr"' </code> Look at regular local login events: <code> syslog -F raw -T UTC | grep "_PROCESS" # or log show --predicate 'eventMessage contains "SessionAgentNotificationCenter"' </code> Look at local login with Apple watch/touchID <code> log show --predicate 'eventMessage contains "LWDefaultScreenLockUI" and (eventMessage contains "authSuccess" or eventMessage contains "authFailWithMessage" or eventMessage contains "loginPressed" or eventMessage contains "authBegan" or eventMessage contains "preLoad")' </code> Look at sshd and screensharingd login: <code> log show --info --predicate 'process = "ssh" or eventMessage contains "ssh"' log show --predicate 'process = "screensharingd" and eventMessage contains "Authentication:"' </code> Look at TCC update logs (short TTL) <code> log show --info --predicate 'eventMessage contains[c] "Update Access Record:"' </code> Airdrop logs <code> log show --predicate 'eventMessage contains "AirDrop ID"' </code> Sharing metadata <code> log show system_logs.logarchive --predicate 'eventMessage contains "SharingDaemon State"' </code> See discoverability <code> log show --info --predicate 'eventMessage contains "Scanning mode"' </code> This command will show activity while AirDropping a photo, a note, a map, and a Safari link. <code> log show --predicate 'category = "ShareSheet" or category = "SharingUI"' </code> Log every AirDrop transfer accepted as denied <code> log show system_logs.logarchive --predicate 'category = "AirDrop" and (eventMessage contains "New incoming transfer" or eventMessage contains "Opening URLs:" or eventMessage contains "alertLog: idx:")' --style compact </code> Get last logs to debug connectivity issues <code> /usr/bin/tail -n 15000 /var/log/system.log | /usr/bin/egrep -i "kernel|launchd|vpn|dns|configd|racoon" log show --last 8h --predicate 'subsystem == "com.apple.networkextension"' log show --last 8h --predicate 'subsystem == "com.apple.SystemConfiguration"' log show --last 8h --predicate 'subsystem == "com.apple.symptomsd" AND category == "netepochs"' log show --last 8h --predicate 'eventMessage CONTAINS[cd] "dns"' log show --last 8h --predicate 'eventMessage CONTAINS[cd] "vpn"' log show --last 8h --predicate 'subsystem == "com.apple.network" AND category == "connection"' log show --last 8h --predicate 'eventMessage CONTAINS[cd] "configd" OR process == "configd"' log show --last 8h --predicate 'subsystem == "com.apple.CoreUtils"' </code> or in one command <code> log show --last 8h --predicate '((subsystem == "com.apple.networkextension") || (subsystem == "com.apple.SystemConfiguration") || (subsystem == "com.apple.symptomsd" AND category == "netepochs") || (eventMessage CONTAINS[cd] "dns") || (eventMessage CONTAINS[cd] "vpn") || (subsystem == "com.apple.network" AND category == "connection") || (eventMessage CONTAINS[cd] "configd" OR process == "configd") || (subsystem == "com.apple.CoreUtils") || (eventMessage CONTAINS[cd] "umbrella") || (process == "dns-updater") || (eventMessage CONTAINS[cd] "launchd" AND NOT eventMessage CONTAINS[cd] "invoked (by pid 1/launchd)" AND NOT eventMessage CONTAINS[cd] "OSLaunchdJob")) && (NOT eventMessage MATCHES ".(/usr/bin/log).")' </code> Get log containing FILLME <code> log show --last 8h --predicate 'eventMessage CONTAINS[cd] "FILLME" </code> ===== Gatekeeper ===== * Enable/Disable Gatekeeper <code> spctl --master-enable spctl --master-disable spctl --status </code> * Determine if an application is allowed <code> spctl -a /Path/To/program.app </code> * Adding a rule to allow an application. In the following command, we are adding a program (specified by the program path) to the rule called "MyLabel." <code> spctl --add --label "MyLabel" /Path/To/program </code> * Enable or disable the rule <code> spctl --enable --label "MyLabel" spctl --disable --label "MyLabel" </code> * Listing and deleting rules <code> spctl --list spctl --remove --label "MyLabel" </code> ===== Launchd ===== [[https://www.launchd.info]] ^Type ^Location ^Run on behalf of ^ |User Agents |~/Library/LaunchAgents |Currently logged in user | |Global Agents |/Library/LaunchAgents |Currently logged in user | |Global Daemons |/Library/LaunchDaemons |root or the user specified with the key UserName | |System Agents |/System/Library/LaunchAgents |Currently logged in user | |System Daemons |/System/Library/LaunchDaemons |root or the user specified with the key UserName | ===== Get logged in user ===== <code> #zsh and bash scripts loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' ) #sh scripts loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' ) </code> cheatsheet/mac.txt Last modified: 2024/10/14 20:59by 127.0.0.1