2 minutes
Living off the land in macOS
Documenting macOS commands that are useful for exploring the system.
dscl
dscl is the command line interface for the macOS directory services authentication framework. It can list, write and read information regarding the users on the local machine, or about the directory if deployed in a LDAP envrioment.
Example uses:
dscl . -ls /Users- List all users on the system.dscl . -read /Users/$(whoami)- List detailed information from a user.dscl . -read /Users/$(whoami) | grep LinkedIdentity- Get the linked identity of a user.
log
Starting in macOS 10.12 (High Sierra), the logging system shifted to using os_log API for the system logging which reduced the number of logs written to disk as they would be stored in memory. The log command or Console.app can be used to read these logs. The default behavior of the log command can be altered by using a ~/.logrc file in the users home.
Example uses:
log [show]|[stream] -last 1h --predicate 'subsystem == "com.apple.securityd"'
csrutil
csrutil is the interface to macOS’s System Intergrity Protection (SIP). Changing the settings from this utility can only be done when the machine is booted into recovery mode.
Example uses:
csrutil status- The default value is enabled.csrutil [enable]|[disable]- Can only be used from recovery mode.csrutil netboot [add]|[delete] IPv4- Adds a macOS NetBoot server. NetBoot servers add scripts that can be run versus full installs.
plutil
Apple stores many configuration files as property lists which can be be stored as XML, JSON, or a binary format. plutil can lint, display and modify these .plist files.
Examples:
plutil <file>.plist- Lint the sytax of the file.plutil -p <file>.plust- Print the file to stdout.plutil -convert [xml]|[json] <file>.plistConverts files to a new format.
scutil
Provides a CLI to the data stored by configd(8).
Examples:
scutil --dns- Grab DNS configuraion for the system
Credit
This research is a culimnation of testing things, and reading material by the following folks: