cheatsheet:mac

MacOS

Useful commands

  • List open listening ports
netstat -pant | grep LISTEN
# to also have the program name
sudo lsof -i -P | grep -i "listen"

Remove quarantine attr

xattr -d com.apple.quarantine /path/to/file

WIFI

Get last connected wifi: 

defaults read /Library/Preferences/SystemConfiguration/com.apple.airport.preferences |grep LastConnected -A 7

Read logs on macOS

log can be used with –json, –syslog or –ndjson Read sudo log: 

log show --last 1d --predicate 'process == "sudo" and eventMessage contains "TTY="'

Look at read accesses: 

log show --last 10h --predicate 'processImagePath contains "kernel" and senderImagePath contains "Sandbox" and eventMessage contains "file-read-xattr"'

Look at regular local login events: 

syslog -F raw -T UTC | grep "_PROCESS"
# or
log show --predicate 'eventMessage contains "SessionAgentNotificationCenter"'

Look at local login with Apple watch/touchID 

log show --predicate 'eventMessage contains "LWDefaultScreenLockUI" and (eventMessage contains "authSuccess" or eventMessage contains "authFailWithMessage" or eventMessage contains "loginPressed" or eventMessage contains "authBegan" or eventMessage contains "preLoad")'

Look at sshd and screensharingd login: 

log show --info --predicate 'process = "ssh" or eventMessage contains "ssh"'
log show --predicate 'process = "screensharingd" and eventMessage contains "Authentication:"'

Look at TCC update logs (short TTL) 

log show --info --predicate 'eventMessage contains[c] "Update Access Record:"'

Airdrop logs 

log show --predicate 'eventMessage contains "AirDrop ID"'

Sharing metadata 

log show system_logs.logarchive --predicate 'eventMessage contains "SharingDaemon State"'

See discoverability 

log show --info --predicate 'eventMessage contains "Scanning mode"'

This command will show activity while AirDropping a photo, a note, a map, and a Safari link. 

log show --predicate 'category = "ShareSheet" or category = "SharingUI"'

Log every AirDrop transfer accepted as denied 

log show system_logs.logarchive --predicate 'category = "AirDrop" and (eventMessage contains "New incoming transfer" or eventMessage contains "Opening URLs:" or eventMessage contains "alertLog: idx:")' --style compact

Get last logs to debug connectivity issues 

/usr/bin/tail -n 15000 /var/log/system.log | /usr/bin/egrep -i "kernel|launchd|vpn|dns|configd|racoon"
log show --last 8h --predicate 'subsystem == "com.apple.networkextension"'
log show --last 8h --predicate 'subsystem == "com.apple.SystemConfiguration"'
log show --last 8h --predicate 'subsystem == "com.apple.symptomsd" AND category == "netepochs"'
log show --last 8h --predicate 'eventMessage CONTAINS[cd] "dns"'
log show --last 8h --predicate 'eventMessage CONTAINS[cd] "vpn"'
log show --last 8h --predicate 'subsystem == "com.apple.network" AND category == "connection"'
log show --last 8h --predicate 'eventMessage CONTAINS[cd] "configd" OR process == "configd"'
log show --last 8h --predicate 'subsystem == "com.apple.CoreUtils"'

or in one command 

log show --last 8h --predicate '((subsystem == "com.apple.networkextension") || (subsystem == "com.apple.SystemConfiguration") || (subsystem == "com.apple.symptomsd" AND category == "netepochs") || (eventMessage CONTAINS[cd] "dns") || (eventMessage CONTAINS[cd] "vpn") || (subsystem == "com.apple.network" AND category == "connection") || (eventMessage CONTAINS[cd] "configd" OR process == "configd") || (subsystem == "com.apple.CoreUtils") || (eventMessage CONTAINS[cd] "umbrella") || (process == "dns-updater") || (eventMessage CONTAINS[cd] "launchd" AND NOT eventMessage CONTAINS[cd] "invoked (by pid 1/launchd)" AND NOT eventMessage CONTAINS[cd] "OSLaunchdJob")) && (NOT eventMessage MATCHES ".(/usr/bin/log).")'

Get log containing FILLME 

log show --last 8h --predicate 'eventMessage CONTAINS[cd] "FILLME"

Gatekeeper

  • Enable/Disable Gatekeeper
spctl --master-enable
spctl --master-disable
spctl --status
  • Determine if an application is allowed
spctl -a /Path/To/program.app
  • Adding a rule to allow an application. In the following command, we are adding a program (specified by the program path) to the rule called “MyLabel.”
spctl --add --label "MyLabel" /Path/To/program
  • Enable or disable the rule
spctl --enable --label "MyLabel"
spctl --disable --label "MyLabel"
  • Listing and deleting rules
spctl --list
spctl --remove --label "MyLabel"

Launchd

https://www.launchd.info

Type Location Run on behalf of
User Agents ~/Library/LaunchAgents Currently logged in user
Global Agents /Library/LaunchAgents Currently logged in user
Global Daemons /Library/LaunchDaemons root or the user specified with the key UserName
System Agents /System/Library/LaunchAgents Currently logged in user
System Daemons /System/Library/LaunchDaemons root or the user specified with the key UserName

Get logged in user

#zsh and bash scripts
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
#sh scripts
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
  • cheatsheet/mac.txt
  • Last modified: 2024/10/14 20:59
  • by 127.0.0.1