Mac Specific

Multiple Mac Policies

For Mac estates being managed by ePO, multiple policies being applied simultaneously is supported, for example:

  • epo.xml
  • epo001.xml
  • epo002.xml

In the example above, if the policy precedence is set for ePO policies, then rules processing will first check the rules in epo.xml. If no rules are found for the process in this policy, then it will go through the epo001.xml. Each policy is processed in an alpha-numeric/C locale order. This continues until the process hits a rule or the dppolicyserverd reads all of the policies without finding a match.

If multiple policies are loaded, only one of them requires a Privilege Management for Mac license. We recommend you do not use multiple licenses in this configuration. Each policy can have a different Challenge-Response key.

Copy and pasted policies with altered rules are still processed, the dppolicyserverd log outputs whether it replaced GUIDs when loading them into memory if it was a duplicate.

Mac Application Templates

Privilege Management for Mac ships with some standard application templates to simplify the definition of applications that are part of the operating system. The standard application templates are split into categories:

  • System Preference Panes
  • Bundles
  • Binaries

Each category then has a list of applications for that category. Picking an application will cause the application to be prepopulated with the appropriate information.

Mac Audit Logs

How to log events to a file:

  1. When Privilege Management for Mac is installed, it checks to see if the following path and file is present. If it's not, it creates it: /var/log/defendpoint/audit.log
  2. This file cannot be edited during output. If this file is deleted, Privilege Management for Mac recreates it dynamically. If the folder structure is deleted, Privilege Management for Mac recreates it when the endpoint is restarted.

 

  1. To view the log file, run the following command in Terminal. By default, Standard users are not permitted to run this sudo command. You must configure a policy to allow this.

    Optionally, you can use the CaptureConfig utility. Please contact BeyondTrust Technical Support to get a copy.

sudo cat /var/log/defendpoint/audit.log  
  1. The log file is maintained by the core macOS service newsyslog. The newsyslog.conf file contains various log files and associated settings and is maintained by the core macOS. The newsyslog.conf file is located at /etc/newsyslog.conf.

This part of the set up must be done by a user who can write to this location or by using a mobile device management (MDM) solution.

  1. In the newsyslog.conf file, the settings are outlined and have column headers:
    • logfilename
    • mode
    • count
    • size
    • when
    • flags
  2. For the purposes of the maintenance of the audit.log file, you must populate the logfilename, mode, count, size and/or when, and flags attributes in the newsyslog.conf file.
    • logfilename: Path and filename
    • mode: File mode. For example, settings for read/write for each user type (POSIX file permissions)
    • count: Count for amount of archived files (count starts from 0)
    • size: Threshold for log size in KB
    • when: Threshold for log size in terms of time. For example, new log everyday at X, or every month
    • flag: Instruction for processing the archived/turn-over file. This is most likely to be JN or ZN

    An example of a line in the newsyslog.conf for Privilege Management for Mac:

/var/log/defendpoint/audit.log 644 5 1000 * JN

This indicates that:

  • The filename is audit.log
  • It can be viewed by all user types but can only be edited by the root user
  • It has an archive count of 5 (6 archived files, not including the current log)
  • It has a threshold of 1MB for turn-over/archiving
  • It doesn't have a date turn over
  • For archiving, files are to be compressed into a bzip file

The threshold relies on the newsyslog service. This service is "low" priority in macOS and only reads the .conf file approximately every 30mins. Using the example line above, the log can become greater than 1MB prior to the service reading the newsyslog.conf file due to it being a ‘threshold’ value, rather than each log file being of equal size.

  1. After you apply the newsyslog.conf by adding the audit.log line to it, you can run sudo newsyslog -nv in the Terminal to see the state of the logging, when the next roll over is, and whether there are any syntax issues.

Unified Logging

Unified logging is available in macOS 10.12 and later and supersedes Apple System Logger (ASL). Prior to macOS 10.12, log messages were written to specific disk locations. Unified logging means the log messages are stored in memory or in a data store and can viewed in the Console application and the log command line tool.

To view the debug logs of a process on the endpoint:

  1. Open the Console app. By default, debug and info messages are not displayed. You can select an event in the main window to view the logs for it.
  2. Click Now in the top left of the tool bar to see new messages in real time.
  3. Select Actions > Include Info Messages and Actions > Include Debug Messages to add these to the log.
  4. Using the search bar on the top-right, you can enter the name of a process that you want to filter on. For example, defendpointd for Privilege Management for Mac or PMCAdapter for PMC Adapter log messages.
  5. You can further manipulate the filter from the search bar or by right-clicking on the process and selecting an additional filter option.

For more information about unified logging, please see Logging.

Obtain Debug Logs from the Endpoint

Unified logging does not store info or debug strings on the hard disk. They are only displayed while the Console application is open. You must use the log config command to create plist files for each Privilege Management for Mac daemon and change the logging file. These plists are created in the /Library/Preferences/Logging directory.

In lieu of using the method below, you can obtain debug logs from the endpoint using the CaptureConfig utility. Please contact BeyondTrust Technical Support to obtain it.

  1. To create plists and change the logging level for the Privilege Management for Mac daemons, run the following commands in the terminal:
  2. sudo log config --subsystem com.avecto.defendpointd --mode persist:debug
    sudo log config --subsystem com.avecto.custodian --mode persist:debug
    sudo log config --subsystem com.avecto.dppolicyserverd --mode persist:debug
    sudo log config --subsystem com.avecto.Defendpoint --mode persist:debug
  3. Once these commands have been run, you have two options:
    • Obtain a centralized log you can send to BeyondTrust Technical Support. This is the recommended approach.

 

You would ideally collect the logs into a central log file using the following command, however this logs every process on the endpoint, not just the Privilege Management for Mac processes.

sudo log collect —-last <num><m/h/d>

You must replace the <num> value with an integer and then append m for months, h for hours, or m for minutes depending on how long it took to replicate the issue. This will produce a .logarchive file in the current user's directory.

    • Alternatively, you can create a log for each Privilege Management for Mac daemon by using the following commands. This process outputs .log files in the user's home directory that can be edited or moved as required. As this information is split across multiple log files, it is not the recommended approach, however it can be used when the first approach is not viable.
log show --predicate 'subsystem == "com.avecto.custodian"' --style json --debug --last 1h > ~/Documents/Custodian.logarchive
log show --predicate 'subsystem == "com.avecto.defendpointd"' --style json --debug --last 1h > ~/Documents/defendpointd.logarchive
log show --predicate 'subsystem == "com.avecto.dppolicyserverd"' --style json --debug --last 1h > ~/Documents/dppolicyserverd.logarchive
log show --predicate 'subsystem == "com.avecto.Defendpoint"' --style json --debug --last 1h > ~/Documents/Defendpoint.logarchive

We strongly recommend you delete the .plists after use and disable debug level of logging persistence, especially on an SSD.

Anonymous Logging

By default, Privilege Management for Mac will include user and computer specific information in all audit events. You can set your Application Rules to not log this information for events associated with your rules by setting the Raise an Event option to On (Anonymous) on each rule.

You can also set whether user or computer information is kept anonymous for audit events that are not associated with a rule, such as events raised for having an invalid license.

To enable anonymous auditing for events not associated with a rule, edit the following section in the defendpoint.plist configuration file:

<key>AnonymousLogging</key>
<string>true</string>

To disable anonymous auditing for events not associated with a rule, edit the following section in the defendpoint.plist configuration file:

<key>AnonymousLogging</key>
<string>false</string>

Add Privilege Management for Mac Settings to a Mac Client Computer

Privilege Management for Mac settings are stored in the file /etc/defendpoint/local.xml, and can be overwritten with an exported XML file from the MMC. To prevent any invalid permissions being applied, we recommend this file be replaced using the following command. In this example, the source XML file is located on your Desktop:

sudo cp ~/Desktop/local.xml /etc/defendpoint/local.xml

Privilege Management for Mac will apply the new settings immediately, and does not require any restart.

If all policies are deleted, the local.xml policy is regenerated. The regenerated local.xml policy will not contain any license or rules.

Mac Sudo Command Arguments Not Supported

The following arguments are not supported by Privilege Management for Mac when you're using sudo:

Option (single dash) Option (double dash) Description
-A --askpass use a helper program for password prompting
-C num --close-from=num close all file descriptors >= num
-E --preserve-env preserve user environment when running command
-g group --group=group run command as the specified group name or ID
-H --set-home set HOME variable to target user's home dir
-h host --host=host run command on host (if supported by plugin)
-K --remove-timestamp remove timestamp file completely
-k --reset-timestamp invalidate timestamp file
-l --list list user's privileges or check a specific command; use twice for longer format
-n --non-interactive non-interactive mode, no prompts are used
-P --preserve-groups preserve group vector instead of setting to target's
-p prompt --prompt=prompt use the specified password prompt
-U user --other-user=user in list mode, display privileges for user
-u user --user=user run command (or edit file) as specified user name or ID
-v --validate update user's timestamp without running a command

Use Centrify

If you are using Centrify to bind MacOS endpoints to Active Directory, contact BeyondTrust Technical Support for assistance.