====== MacOS ======
===== Useful commands =====
  * List open listening ports
<code>
netstat -pant | grep LISTEN
# to also have the program name
sudo lsof -i -P | grep -i "listen"
</code>
===== Remove quarantine attr =====
<code>
xattr -d com.apple.quarantine /path/to/file
</code>
===== WIFI =====
Get last connected wifi:
<code>
defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences |grep LastConnected -A 7
</code>
===== Read logs on macOS =====
log can be used with --json, --syslog or --ndjson
Read sudo log:
<code>
log show --last 1d --predicate 'process == "sudo" and eventMessage contains "TTY="'
</code>
Look at read accesses:
<code>
log show --last 10h --predicate 'processImagePath contains "kernel" and senderImagePath contains "Sandbox" and eventMessage contains "file-read-xattr"'
</code>
Look at regular local login events:
<code>
syslog -F raw -T UTC | grep "_PROCESS"
# or
log show --predicate 'eventMessage contains "SessionAgentNotificationCenter"'
</code>
Look at local login with Apple watch/touchID
<code>
log show --predicate 'eventMessage contains "LWDefaultScreenLockUI" and (eventMessage contains "authSuccess" or eventMessage contains "authFailWithMessage" or eventMessage contains "loginPressed" or eventMessage contains "authBegan" or eventMessage contains "preLoad")'
</code>
Look at sshd and screensharingd login:
<code>
log show --info --predicate 'process = "ssh" or eventMessage contains "ssh"'
log show --predicate 'process = "screensharingd" and eventMessage contains "Authentication:"'
</code>
Look at TCC update logs (short TTL)
<code>
log show --info --predicate 'eventMessage contains[c] "Update Access Record:"'
</code>
Airdrop logs
<code>
log show --predicate 'eventMessage contains "AirDrop ID"'
</code>
Sharing metadata
<code>
log show system_logs.logarchive --predicate 'eventMessage contains "SharingDaemon State"'
</code>
See discoverability
<code>
log show --info --predicate 'eventMessage contains "Scanning mode"'
</code>
This command will show activity while AirDropping a photo, a note, a map, and a Safari link. 
<code>
log show --predicate 'category = "ShareSheet" or category = "SharingUI"'
</code>
Log every AirDrop transfer accepted as denied
<code>
log show system_logs.logarchive --predicate 'category = "AirDrop" and (eventMessage contains "New incoming transfer" or eventMessage contains "Opening URLs:" or eventMessage contains "alertLog: idx:")' --style compact
</code>

Get last logs to debug connectivity issues
<code>
/usr/bin/tail -n 15000 /var/log/system.log | /usr/bin/egrep -i "kernel|launchd|vpn|dns|configd|racoon"
log show --last 8h --predicate 'subsystem == "com.apple.networkextension"'
log show --last 8h --predicate 'subsystem == "com.apple.SystemConfiguration"'
log show --last 8h --predicate 'subsystem == "com.apple.symptomsd" AND category == "netepochs"'
log show --last 8h --predicate 'eventMessage CONTAINS[cd] "dns"'
log show --last 8h --predicate 'eventMessage CONTAINS[cd] "vpn"'
log show --last 8h --predicate 'subsystem == "com.apple.network" AND category == "connection"'
log show --last 8h --predicate 'eventMessage CONTAINS[cd] "configd" OR process == "configd"'
log show --last 8h --predicate 'subsystem == "com.apple.CoreUtils"'
</code>
or in one command
<code>
log show --last 8h --predicate '((subsystem == "com.apple.networkextension") || (subsystem == "com.apple.SystemConfiguration") || (subsystem == "com.apple.symptomsd" AND category == "netepochs") || (eventMessage CONTAINS[cd] "dns") || (eventMessage CONTAINS[cd] "vpn") || (subsystem == "com.apple.network" AND category == "connection") || (eventMessage CONTAINS[cd] "configd" OR process == "configd") || (subsystem == "com.apple.CoreUtils") || (eventMessage CONTAINS[cd] "umbrella") || (process == "dns-updater") || (eventMessage CONTAINS[cd] "launchd" AND NOT eventMessage CONTAINS[cd] "invoked (by pid 1/launchd)" AND NOT eventMessage CONTAINS[cd] "OSLaunchdJob")) && (NOT eventMessage MATCHES ".(/usr/bin/log).")'
</code>

Get log containing FILLME
<code>
log show --last 8h --predicate 'eventMessage CONTAINS[cd] "FILLME"
</code>

===== Gatekeeper =====
  * Enable/Disable Gatekeeper
<code>
spctl --master-enable
spctl --master-disable
spctl --status
</code>

  * Determine if an application is allowed
<code>
spctl -a /Path/To/program.app
</code>

  * Adding a rule to allow an application. In the following command, we are adding a program (specified by the program path) to the rule called "MyLabel."
<code>
spctl --add --label "MyLabel" /Path/To/program
</code>

  * Enable or disable the rule
<code>
spctl --enable --label "MyLabel"
spctl --disable --label "MyLabel"
</code>

  * Listing and deleting rules
<code>
spctl --list
spctl --remove --label "MyLabel"
</code>

===== Launchd =====
[[https://www.launchd.info]]
^Type           ^Location	                ^Run on behalf of ^
|User Agents	|~/Library/LaunchAgents	        |Currently logged in user |
|Global Agents	|/Library/LaunchAgents	        |Currently logged in user |
|Global Daemons	|/Library/LaunchDaemons	        |root or the user specified with the key UserName |
|System Agents	|/System/Library/LaunchAgents	|Currently logged in user |
|System Daemons	|/System/Library/LaunchDaemons	|root or the user specified with the key UserName |
===== Get logged in user =====
<code>
#zsh and bash scripts
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
#sh scripts
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
</code>