Reprint: Extending the Casper Suite with Dummy Packages

mt-cover-0909Questions about this article have come up in conversations with other Mac sysadmins.  As the reprint rights have since reverted back to me, I’m glad to share the content.

This content is copyright © 2009 by Miles A. Leacy IV.  Permission is granted to redistribute the article in it’s unaltered form.

Download the article at the link below (opens in a new window):

https://drive.google.com/open?id=1Qax-mKcTWgBnu9IANZGORyaiLDG65VV1

A few notes:

  • The Dummy Package/Dummy Receipt workflow is no longer necessary as of Casper Suite version 7.  Extension Attributes provide the same functionality in a much more usable (not to mention supported) fashion.
  • The script contained in the article can be altered to be used in an Extension Attribute. This will be covered in a follow up post on this site.
  • You may want to add terms other than “Firmware” to the script, such as “SMC”, “EFI”, etc., to cover all known firmware updates.

I hope some of you will find this article useful.

Lion Server

lionSo, the rumors were true.  Or they weren’t.  Or  both.

According to Apple’s website, there will, in fact, be a Lion Server.  However, it seems that it will not be sold in its own box, but rather Lion server is going to be a component of Mac OS X Lion.

Currently, there are only four paragraphs and three low-resolution screenshots available to the general public, but here’s what I’ve been able to glean.

  • There will be no separate Server OS.  Lion Server is a set of tools in Mac OS X Lion.
  • Profile Manager – A system for “profile-based setup and management for Mac OS X Lion” and iOS.  From the screenshot, it looks like Lion Server will provide iPhone Configuration Utility functionality for both iOS and Mac OS X Lion.
  • Wiki – Apple devotes one of the four paragraphs to this item.  They mention Podcasts, so this admin assumes that Podcast Producer or its replacement will be present.
  • Wireless File Sharing for iPad (via WebDAV- another paragraph is devoted to this item.  Only the iPad is specifically referenced.
  • Other services mentioned: Users and groups, Push notifications, File sharing, Calendaring, Mail, Contacts, Chat, Time Machine, VPN, Web

My questions…

  • What is a “profile” as defined by Profile Manager and what is configured and contained in/by it?
  • Is wireless file sharing for iPad truly for iPad only?  Is this an oversight in the Lion preview info, or are iPhones and iPod Touch devices left out in the cold by this feature?
  • Does “users and groups” refer to the next iteration of Open Directory?  I’d assume so, but Apple often surprises us.
  • Since Lion Server is a component of the client OS, are there any charges for it?  This seems unlikely unless Apple is changing its model.  One possibility (and pure speculation on this Admin’s part) is that the server components could be a paid download from the Mac App Store.  I doubt that Apple would introduce CALs.

To me, it makes sense that Lion Server is part of, or an add-on to, the client OS.  Mac OS X Server has always been a superset of Mac OS X.

Apple’s Mac OS X Lion page:
http://www.apple.com/macosx/lion/

Managing Spotlight

spotlightThe long hiatus is over, and The Mac Admin is back.  Here’s a short item to get started with…

Recently, I had been experiencing some frustration as my Spotlight results weren’t including items I’d expected, such as applications when my search term was the correctly spelled application title.  The solution to this is to reset Spotlight’s cache, causing it to be rebuilt.

The command used is  mdutil.  From the man page, mdutil’s purpose is to “manage the metadata stores used by Spotlight”.  Note that mdutil requires root privileges, so sudo may be needed for this command.  I used the command below to fix my own Spotlight problems.

mdutil -E /

The -E flag erases the spotlight cache on the volume(s) specified.  In this case, only the root, or booted, volume is specified, represented by the “/” character.  By adding the “a” flag and omitting the volume specification, the command will erase the caches on all volumes, like so…

mdutil -Ea

The “i” flag can be used to turn indexing on or off for the specified volumes.  For example, let’s say I have a flash drive volume called myFlashDrive. If I want to remove the existing cache and prevent Spotlight from creating a new one, I can run the following command…

mdutil -E -i off /Volumes/myFlashDrive

I hope this is helpful.

NSA Security Recommendations Part 1

securityThe United States National Security Agency has published a pamphlet titled Hardening Tips for the Default Installation of Mac OS X 10.5 “Leopard” (title links to document).  I consider many of these tips to be no-brainers, some to be best practices, and the rest have variable value depending on your organization’s requirements.  This article is the first of a series in which I’ll examine each of these tips, how to automate their implementation, and discuss any caveats for each.

Note: The NSA document, and therefore this series of articles, refer specifically to Mac OS X version 10.5 (Leopard). The ideas and techniques should transfer to 10.6 (Snow Leopard), but be sure to test carefully before putting into production. I will discuss any changes required to implement each recommendation in 10.6.

 

Don’t Surf or Read Mail using Admin Account

This falls into the “no-brainer” category.  I firmly believe that in an organization where the end user does not own his or her computer, there is no reason for that user to have administrative rights on the system.  For every so-called valid reason to grant administrative permission that I have encountered, there is a workaround that can give the user the ability to do their job without granting admin rights.  If you find yourself fighting against an organizational culture that wants admin rights for end users, you can counter with this statement:

 

“If end users have administrative rights, no IT group can make any guarantees or reliably satisfy any SLA regarding the performance, security or continued operability of the systems in question.”

 

Put simply, if unqualified people can mess with the works, then all bets are off.

 

Not being a technical procedure, this concept holds true for Snow Leopard, all other versions of Mac OS X and for any other OS as well.
If you believe you have a valid reason to grant administrative privileges to end users or your organization is forcing you to grant those privileges for a particular reason or reasons, please leave a comment. I’ll do my best to describe a solution to the given problem without granting administrative rights.

Script: Enable Remote Management (ARD)

terminalHere’s another script for zero-touch deployment. If you want to enable Remote Management for Apple Remote Desktop access, this script will get you there.

This script uses the kickstart command which is buried within the ARDAgent application. Entering the following command in Terminal will display the full listing of options and examples available with this tool.

/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart help

I have most commonly enabled the Remote Management service, granted all privileges to a single local admin user used by IT staff, and restarted the agent and menu extra to allow the agent to read the new configuration. The script below will accomplish these items. Reviewing the kickstart help will give you the syntax to write your own script to accomplish different Remote Management configurations.

#!/bin/bash

##### HEADER BEGINS #####
# scr_sys_enableARDforAdminUser.bash
#
# Created 20081231 by Miles A. Leacy IV
# miles.leacy@themacadmin.com
# Modified 20090812 by Miles A. Leacy IV
# Copyright 2009 Miles A. Leacy IV
#
# This script may be copied and distributed freely as long as this header
# remains intact.
#
# This script is provided "as is". The author offers no warranty or
# guarantee of any kind.
# Use of this script is at your own risk. The author takes no responsibility
# for loss of use,
# loss of data, loss of job, loss of socks, the onset of armageddon, or any
# other negative effects.
#
# Test thoroughly in a lab environment before use on production systems.
# When you think it's ok, test again. When you're certain it's ok, test
# twice more.
#
# This script:
# - enables the Remote Management service (ARD)
# - grants access and all privileges to the user "admin"
# - restarts the ARD agent and the ARD menu extra
#
# This script must be run as root (done automatically when deployed with
# the Casper Suite).
#
# When using the script with a Casper Suite configuration for imaging,
# set it to run At Reboot.
#
##### HEADER ENDS #####




/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -users admin -privs -all -restart -agent -menu

Printing For Non-Admins In Leopard

printerThis is a topic I’ve seen covered in many places, however most of the articles I see on this topic only get part of the solution or solve it in a way that creates unnecessary security issues.  In light of this, I’ve decided to talk about what I consider to be the best practices on the subject and the reasons why.

Why Did Apple Limit The Printing System?

Unless you know why Apple imposed security restrictions on the printing system, it seems pretty silly and detrimental to users.  After I understood the reasons behind the change, it made a lot of sense.

When you add a printer in CUPS (Common UNIX Printing System, the printing software under the proverbial hood) and specify a PPD file for that printer, the PPD file can, and often does, run software as root.  This function of the printing system could be used to run malicious code.  To help mitigate this risk, administrator authentication is required if the logged in user is not an administrative user or if the “Require password to unlock each System Preferences pane” box has been checked in the Security System Preferences Pane.  None of this is an issue in the “typical” home computer installation since there is only one user and that user is an administrator.  For environments that require extra security, indicated by having standard (non-admin) user accounts and/or system preference restrictions, this vulnerability is closed.

Make A Spare Key; Don’t Remove the Door

Many of the blogs and forum posts I’ve read on this subject advocate the removal of CUPS security features.  If this sounds like a good idea, ask yourself this; if you wanted to give someone access to your home, would you take your front door off its hinges or give this person a key?  I think the answer is clear.

Understanding The Lock

Before we can make our “spare key”, we need to understand how the lock works.  to do that, we’ll look at the default CUPS configuration file, found at /private/etc/cups/cupsd.conf and how it defines CUPS Operation policies.  Every Mac OS X Leopard installation includes detailed documentation on this subject at http://localhost:631/help/policies.html (link opens in a new window)  For our purposes, we’ll look at the specific section of the cupsd.conf file that covers adding, deleting and setting default printers, but this URL is your best reference for CUPS operation and configuration.

# All administration operations require an administrator to authenticate...
     <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class
CUPS-Delete-Class CUPS-Set-Default>
          AuthType Default
          Require user @SYSTEM
          Order deny,allow
     </Limit>

The line that reads Require user @SYSTEM is what dictates that administrative authentication is required.

Making the Spare Key

Many people are recommending deleting or commenting out this block of text. This is the equivalent of taking the door off of the hinges that I mentioned. Instead, we can modify this block to grant permission to groups that we define, rather than removing the security feature. If we add user or group names to the line that reads Require user @SYSTEM, those users and members of those groups will be granted the add, delete and set default permissions. See the example below…

# All administration operations require an administrator to authenticate...
     <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class
CUPS-Delete-Class CUPS-Set-Default>
          AuthType Default
          Require user @SYSTEM @admin @lpadmin @mycustomgroup
mycustomuser
          Order deny,allow
     </Limit>

This modification allows the members of the admin, lpadmin and mycustomgroup groups and the user mycustomuser to add, delete and set default printers. Group names require the preceding “@” character, usernames do not.

Going Further

There are other default policies in the default cupsd.conf file that govern pausing & resuming queues, holding & deleting print jobs, etc. These policies can be modified in the same way. The CUPS help file (link at the top of this article) contains details on 38 different printing system operations that can be governed by the cupsd.conf file and detailed instructions on creating your own policies within the file. Using that information, you should be able to configure virtually any required or desired security settings.

Script: Set Network Time Server

terminalMac OS X provides a one-stop command for viewing and setting several OS configuration items.  The systemsetup command is found at /usr/sbin/systemsetup.

Running the command:

man systemsetup

in the Terminal application will return a full listing of the options available in this command.  This script uses the systemsetup command to configure a target system to use a specified network time server.  The script, as written, is intended for use with The Casper Suite.  Replacing $4 with a static value or using another method of passing a value would be necessary if you are not using The Casper Suite.

#!/bin/bash
##### HEADER BEGINS #####
# scr_sys_setNTP.bash
#
# Created 20090627 by Miles A. Leacy IV
# miles.leacy@themacadmin.com
# Modified 20090627 by Miles A. Leacy IV
# Copyright 2009 Miles A. Leacy IV
#
# This script may be copied and distributed freely as long as this header
# remains intact.
#
# This script is provided “as is”.  The author offers no warranty or
# guarantee of any kind.
# Use of this script is at your own risk.  The author takes no responsibility
# for loss of use,
# loss of data, loss of job, loss of socks, the onset of armageddon, or any
# other negative effects.
#
# Test thoroughly in a lab environment before use on production systems.
# When you think it’s ok, test again.  When you’re certain it’s ok, test
# twice more.
#
# This script sets a Mac OS X system to use a network time server specified
# by the value passed in the $4 parameter by the Casper Suite.
# Run as an “at reboot” script when imaging with Casper, making sure to type
# double-check the serial in the script parameters before imaging.
#
##### HEADER ENDS #####
systemsetup -setusingnetworktime on -setnetworktimeserver $4
#!/bin/bash

##### HEADER BEGINS #####
# scr_sys_setNTP.bash
#
# Created 20090627 by Miles A. Leacy IV
# miles.leacy@themacadmin.com
# Modified 20090627 by Miles A. Leacy IV
# Copyright 2009 Miles A. Leacy IV
#
# This script may be copied and distributed freely as long as this header
# remains intact.
#
# This script is provided "as is".  The author offers no warranty or
# guarantee of any kind.
# Use of this script is at your own risk.  The author takes no responsibility
# for loss of use,
# loss of data, loss of job, loss of socks, the onset of armageddon, or any
# other negative effects.
#
# Test thoroughly in a lab environment before use on production systems.
# When you think it's ok, test again.  When you're certain it's ok, test
# twice more.
#
# This script sets a Mac OS X system to use a network time server specified
# by the value passed in the $4 parameter by the Casper Suite.
# Run as an "at reboot" script when imaging with Casper, making sure to type
# double-check the serial in the script parameters before imaging.
#
##### HEADER ENDS #####

systemsetup -setusingnetworktime on -setnetworktimeserver $4

exit 0