=Start=
缘由:
快速简单记录一下最近看到的一些内容,方便以后参考。
正文:
参考解答:
太长不看的一句话总结:
configd 是 macOS 系统上负责许多本地系统配置的(核心)守护进程。目前,configd 承载的大多数配置代理用于建立和维护网络配置(接口名称、建立和维护IP地址、路由、网络代理等)。
configd is a system configuration daemon that runs behind Mac OS X, most users will never notice or see the core OS X process running in the background of their Macs. With that said, configd can sometimes act up and cause unusual CPU spikes and fan activity making your Mac sound like a wind tunnel. Odd configd behavior is easily diagnosed by launching Activity Monitor, sorting by the “% CPU” option, and seeing the ‘configd’ root user process sitting at the top taking up somewhere between 20-95% CPU. If that behavior lasts for a minute or so it’s usually not a big deal, temporary spikes can be normal so just let it run and ignore it, but there are times where configd can go inexplicably errant and it’ll sit around 50% CPU utilization or more for hours for no obvious reason – that is what we’re looking to resolve here.
$ man configd
...
# DESCRIPTION
The configd daemon is responsible for many configuration aspects of the local system. configd maintains data reflecting the desired and current state of the system, provides notifications to applications when this data changes, and hosts a number of configuration agents in the form of loadable bundles.
Each configuration agent is responsible for a well-defined aspect of configuration management. The agents look to one or more input sources (preferences, low-level kernel events, configd notifications, etc) and, through a set of policy modules, interacts with the system to establish the desired operational configura-
tion.
Access to the data maintained by configd is via the SystemConfiguration.framework SCDynamicStore APIs.
...
# BUNDLES
At the present time, the majority of the configuration agents (or bundles) hosted by configd are used to establish and maintain the network configuration. These agents include:
KernelEventMonitor
This bundle is responsible for monitoring kernel events and conveying changes to the network state (e.g. link status) to other configuration agents and interested applications.
InterfaceNamer
This bundle provides a name to each of the system's network interfaces. The bundle queries the IOKit Registry for a list of network devices attached to the system and gives them BSD style names such as "en0".
IPConfiguration
This agent is responsible for establishing and maintaining IPv4 and IPv6 addresses on the system. These addresses may be manually specified in the network preferences or acquired using DHCP (or BOOTP), DHCPv6, and RTADV.
IPMonitor
This agent is responsible for establishing and maintaining the primary network service, the default route, the active DNS configuration, and the active network proxies on the system.
LinkConfiguration
This agent is responsible for establishing and maintaining the media type, media options, and MTU for ethernet interfaces.
PreferencesMonitor
This agent is responsible for conveying the network configuration preferences specified by the administrator to the various configuration agents (IPv4, IPv6, ...).
PPPController
This agent is responsible for establishing and maintaining PPP connections on the system.
macOS上一个和configd进程和log命令有关的小技巧:
log show --predicate '(processImagePath contains "configd") && (eventMessage contains "en0: SSID ")' --style syslog --last 1d
根据我本机的实际测试,macOS 下的 log 命令记录了大概1个月以内的数据(这个应该和个人的实际使用产生的日志量大小有关,日志越多,记录的时间相应越短),一般排查还是够用了的。
参考链接:
configd: Fixing High CPU Usage Problems with the configd Process in Mac OS X
https://osxdaily.com/2013/09/30/configd-mac-os-x-fix/
What Is configd, and Why Is It Running On My Mac?
https://www.howtogeek.com/338196/what-is-configd-and-why-is-it-running-on-my-mac/
什么已配置?为什么在Mac上运行?
https://blog.csdn.net/culinqian4296/article/details/108781314
What Is This Process and Why Is It Running on My Mac?
https://www.howtogeek.com/312671/what-is-this-process-and-why-is-it-running-on-my-mac/
=END=
《 “macOS 下的 configd 是什么?” 》 有 6 条评论
How to view Software Update history?
https://apple.stackexchange.com/questions/104989/how-to-view-software-update-history
`
# 方法一:系统信息
「启动台」-「其它」-「系统信息」->【软件】-【应用程序】
# 方法二:InstallHistory.plist
grep -C5 “macOS ” /Library/Receipts/InstallHistory.plist
`
如何查看软件更新历史记录?
https://qastack.cn/apple/104989/how-to-view-software-update-history
如何查看macOS的系统版本更新时间节点和记录?
`
「启动台」-「其它」-「系统信息」 【软件】-【安装】
(macOS) 或者 (Command Line Tools for Xcode) 可以看到这2个关键软件的安装日期时间。如下:
macOS Catalina 10.15.6更新:
来源: Apple
安装日期: 2020/8/31 下午4:04
macOS Catalina 10.15.7更新:
来源: Apple
安装日期: 2020/9/30 上午10:10
macOS Big Sur:
版本: 11.0.1
来源: Apple
安装日期: 2020/11/13 下午4:00
macOS 11.0.1:
版本: 11.0.1
来源: Apple
安装日期: 2020/11/13 下午7:47
……
`
What Is installd, and Why Is It Running on My Mac?
https://www.howtogeek.com/196970/what-is-the-installd-process-in-os-x-and-why-is-it-using-cpu-on-my-mac/
`
背景是发现Mac Pro的风扇转了好久,打开活动监视器一看发现有个 installd 进程的CPU占用持续很高,所以搜索一下这个进程是干啥的,看看能不能干掉。
结论就是它是一个负责安装/更新/删除应用的守护进程,等相关操作完了之后应该就好了。而我当前也正在准备进行macOS系统的更新,所以好像还对得上,等更新完了之后再看看情况。
`
What is the `installd` process, and why is it eating my CPU?
https://apple.stackexchange.com/questions/87109/what-is-the-installd-process-and-why-is-it-eating-my-cpu
最近在搜索如何通过MDM关闭macOS上的iCloud同步功能时,无意间看到了jamf的仓库和一篇文章,讲的是macOS上的统一日志系统(Unified Logging System),和之前我看到的“macOS上一个和configd进程和log命令有关的小技巧”内容有些地方比较相似,不过jamf提供了更多的场景和过滤语法,有需要的时候可以参考借鉴:
“`
log show –predicate ‘subsystem == “com.apple.sharing” AND process == “AirDrop” AND processImagePath BEGINSWITH “/System/Library” AND eventMessage BEGINSWITH “Successfully issued sandbox extension for”‘
“`
airdrop_transfer_outbound #airdrop外发记录
application_firewall_logging
configuration_profile_manual_install
configuration_profile_manual_removal
gatekeeper_file_access_rejections_and_user_bypasses
gatekeeper_file_access_scan_activity
local_user_password_change_failure
local_user_password_change_success
lock_screen_unlock_failure
login_through_login_window_with_apple_watch_success
login_through_login_window_with_password_failure
login_through_login_window_with_password_success
login_through_login_window_with_touch_id_failure
login_through_login_window_with_touch_id_success
mdm_profile_manual_removal #手动删除mdm下发的profile配置文件
modifications_dns_settings #修改dns设置
network_server_connection_attempts_outbound
root_user_enabled_or_password_changed
screen_sharing_connectons_inbound
sudo_access_failed_incorrect_password
xprotect_remediator_scan_activity
Unified Log Filtering
https://github.com/jamf/jamfprotect/tree/main/unified_log_filters
https://learn.jamf.com/bundle/jamf-protect-documentation/page/Unified_Logging.html
`
The Unified Logging system on macOS provides a central location to store log data on the Mac. The Console and Terminal apps allow users to view, stream, and filter this data on computers to manually troubleshoot errors or detect threats.
macOS上的统一日志系统提供了一个中央位置来存储Mac上的日志数据。控制台和终端应用程序允许用户在计算机上查看、流媒体和过滤这些数据,以手动排除错误或检测威胁。
With Jamf Protect, you can use the same predicate-based filter criteria that are often used with the log command to collect relevant log entries from computers and send them to a security information and event management (SIEM) solution or a third party storage solution (e.g., AWS).
使用Jamf Protect,您可以使用与log命令经常使用的相同的基于谓词的筛选条件,从计算机收集相关日志条目,并将它们发送到安全信息和事件管理(SIEM)解决方案或第三方存储解决方案(例如AWS)。
`
一个命令行工具,生成一个二维码,可以把本机文件分享给局域网内的手机。
https://github.com/parvardegr/sharing
`
# 暂未测试,但感觉很牛逼的样子,从功能点上看,除了剪贴板,看上去原理就是一个支持上传下载的功能加强版SimpleHTTPServer
Sharing is a command-line tool to share directories and files from the CLI to iOS and Android devices without the need of an extra client app
* share directory and file
* share your clipboard (这个感觉有点牛逼)
* receive file
* support basic authentication
* support ssl
sharing is depend on node v16.x or later
==
1. Install
* npm install -g easy-sharing
2. Share a file or directory
* sharing /directory-or-file-to-share
3. Scan the QR-Code with your phone
* both devices must connect to the same Wi-Fi or, if you have a public IP address, use the –ip parameter.
* sharing –ip your-public-ip-address /directory-or-file-to-share
4. Tada! Just browse the directory and download any file you want
note: macos users should use easy-sharing binary instead of sharing
example: easy-sharing /file-or-directory
`
如何在终端上定位发起恶意请求的进程?
https://www.anquanke.com/post/id/287604
`
# 前言
在日常工作中,我们常常会监测到办公网发出的恶意域名请求。然而,由于缺乏EDR工具的辅助,我们在定位这些恶意请求时效率往往较低。因此,我们总结了一些有助于提高定位效率的方法,包括开源工具使用和借助系统自身日志分析。这些方法都可以帮助我们更快速、准确地定位办公网发出恶意域名请求的进程,提高我们的安全响应能力。
# MacOS篇
安全工具
思考这个问题的时候,首先想到的是借助现有安全工具,于是调研了多款具备网络监控能力的工具,下面展示可以满足需求的两款工具的实际使用效果。
## 火绒剑Mac版
火绒提供了对进程进行网络监控的能力。
实际测试中,开启对dns请求的过滤,并没有任何输出。但是对于dns解析固定的域名,可以通过开启监控,过滤指定ip来协助定位。
## DNSMonitor
DNSMonitor是一款利用 Apple 的Network Extension Framework监控 DNS 请求和响应的开源安全工具。
使用方法–将软件解压至Applications目录,运行后允许加载系统扩展和监控dns流量即可使用。
可以获取执行dns请求的程序路径和进程ID,能够完美匹配需求。
## 开启MacOS统一日志的私有数据日志并进行查询
macOS统一日志是一种全新的日志系统,在Mac OS X 10.12 Sierra中首次引入。它将多个日志来源整合到一个统一的日志文件中,包括系统日志、应用程序日志和安全日志等。其中包含了DNS请求日志,但是默认是被作为私有数据日志记录的,需要手动开启。在Sierra后的不同的系统版本中有不同的启用方式。
备注:只能查询开启私有数据日志记录之后的日志,历史日志仍以私有日志形式展示。实际测试中在Ventura只显示了部分私有数据日志,精力有限,未跟进探究。
## 小结
以上几种方式各有优缺点。DNSmonitor可以完美解决开篇的问题,而火绒在此设定场景下的监控能力对比DNSmonitor稍有不足,但是其能力也不限于网络监控。如果不想借助第三方工具,可以按系统版本参照上文对应方法开启私有数据日志,另外不信任第三方描述文件的话,也可以参照官方文档自行编写。
# Windows篇
微软的Sysmon 10,集成了DNS查询记录功能,此功能将允许Sysmon用户在受监视的计算机上记录进程所执行的DNS查询。从功能介绍来看,是契合需求的。
通过官方下载地址下载,cmd命令窗口执行sysmon.exe -accepteula -i sysmonconfig-export.xml 命令进行安装,配置文件来自Github开源项目sysmon-config。
安装成功后即可在事件查看器中的应用程序和服务日志/Microsof /Windows/Sysmon/Operational 查看dns请求日志,事件ID为22。
如果想查询特定的域名,需要编辑xml格式的查询语句进行筛选,这里直接贴一段powershell脚本,可查询指定时间内的指定域名以及发起dns请求的用户和进程id。
`
https://github.com/SwiftOnSecurity/sysmon-config
https://huorong.cn/info/1620802825658.html
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
https://georgegarside.com/blog/macos/sierra-console-private/#google_vignette
https://saagarjha.com/blog/2019/09/29/making-os-log-public-on-macos-catalina/
https://github.com/objective-see/DNSMonitor
https://objective-see.org/products/utilities.html
https://saagarjha.com/blog/2019/09/29/making-os-log-public-on-macos-catalina/#putting-it-all-together
https://developer.apple.com/documentation/devicemanagement/systemlogging