macOS Code Signing Validation

Code signing allows security-conscious users to know if an application is from an authentic source, unmodified, or even corrupt.

Manually checking the authenticity of applications is typically not needed for the average Mac user, because the majority of users obtain their software from the Mac App Store which is certified.

macOS and some versions of OS X run Gatekeeper which warns and rejects an application from being installed by checking if an unknown developer created it. Gatekeeper will enable users to open applications without any warnings if they are signed.

Everyone should be aware of any apps integrity from any source. It never hurts to validate outside of Apples built-in security features.


Manual validation

Personally, when I manually check an app, I look for hash type, hash checksum, and authority for validation.
We will be using the codesign command in Terminal.

Verify authority:

codesign -dvvv /path/Foo.app

Note: Applications distributed on the Mac App Store are all signed by Apple’s certificate.

Gatekeeper like verification:

codesign --verify --deep --strict --verbose=2 /path/Foo.app/

VMware ESXCLI ESXi Upgrade

The ESXCLI upgrade allows you to save time by skipping the hassle of logging into “My VMware” to download the ESXi ISO and apply patches directly from the VMware Online Depot to your server.

I routinely check VMware ESXi Patch Tracker to know when it’s time to update and build number I need.

Before we get started let’s turn on maintenance mode, or make sure to gracefully shut down all Virtual Machines. Once we have enabled maintenance mode lets also enable SSH to start the upgrade.


Instructions

Open the SSH session to your ESXi server and follow these instructions.

You will need to allow outbound HTTP Requests in the firewall configuration by pasting the lines below into your SSH session and pressing enter:

esxcli network firewall ruleset set -e true -r httpClient

The Image Profile will need to be downloaded using HTTPS and run patch script to apply update by pasting the line below into your SSH session and pressing enter.  Can take some time finish.

esxcli software profile update -p ESXi-6.5.0-20170104001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Next, you will need to disallow outbound HTTP Requests in the firewall configuration by pasting the line below into your SSH session and pressing enter:

esxcli network firewall ruleset set -e false -r httpClient

After you have disallowed outbound HTTP Requests, it’s safe to close out your SSH session and disable it. Remember to turn off maintenance mode after successfully rebooting your server for the upgrade.

EdgeOS NetFlow IPFIX Configuration

EdgeOS is an operating system from Ubiquiti which allows you to configure and manage your EdgeRouter. This includes the ability to generate, view, and forward NetFlow information.

I will be using NetFlow version 10 also called IPFIX. IPFIX information can be sent to a third party collector to help gain better network visibility.  A collector like IBM’s QRadar and IPFIX can discover malicious behavior indicating a compromise, finding unusual ports, unknown destinations, and much more.

For more information on IPFIX see the following RFC’s: 5101 and 5153.


Configuration

The configuration will be from the Command Line Interface (CLI).

Set Port interface for collection, typically eth0 which is my WAN interface:

set system flow-accounting interface <interface>

Choose the ID number of the flow switching engine:

set system flow-accounting netflow engine-id <0-255>

Collect flows for egress traffic:

set system flow-accounting netflow enable-egress

Set the IP and Port of the remote collector that will receive flows:

set system flow-accounting netflow server <IP> port <2055>

Specify version number of NetFlow to use:

set system flow-accounting netflow version <10>

I have the timeout options using default values found in EdgeOS configuration.

You can double check your work once you committed and saved your configuration by using the following command to view flow activity:

show flow-accounting

Example running config

}
system {
    domain-name name.local
    flow-accounting {
        ingress-capture post-dnat
        interface eth0
        netflow {
            enable-egress {
            }
            engine-id 2
            server 192.168.0.0 {
                port 2055
            }
            timeout {
                expiry-interval 60
                flow-generic 3600
                icmp 300
                max-active-life 604800
                tcp-fin 300
                tcp-generic 3600
                tcp-rst 120
                udp 300
            }
            version 10
        }