it’s a new year, and with it, i’ve changed jobs. since february, i’m working part time down the street at tufts university doing some general linux sysadmin stuff. working at lincoln laboratory was an interesting experience, and i continue to appreciate how accommodating people were there during the birth of our son and the ensuing schedule change due to daycare, etc. long term, it wasn’t the right type of work environment for me.
i’ve had a blog post percolating for awhile about the mac admin community, of which i was a part for many years. this morning as i sit here typing, the steam has dissipated a bit. after being involved in the community for so long, it just got too discouraging to see the same questions, the same conference talks, the same problems being discussed. a recent conference schedule included many of the same people and topics i saw three or more years ago. there’s always going to be some level of bikeshedding, but it’s really disappointing to see a community (and some commercial management products) embrace that mentality as “best practices.”
that’s about all i’ll say here. i’m looking forward to new challenges, throwing myself fully into sysadmin work and configuration management. speaking of which, if you’re in the boston area and interested in some informal shop talk about distributed systems, configuration, management, and all things “devops,” stop by the next BosOps meetup.
it’s been awhile since i last posted. i’m a dad, have changed positions in my company, and am adjusting to all of that. i’m doing sysadmin work more in line with my career aspirations, which is a good thing. it’s nice to break out of the world of “mac admin.”
by far, parenting is the biggest challenge i’ve ever undertaken. i wouldn’t be able to do it without sarah, my rock. emmett is a great kid so far. he’s funny, curious, and active. and it’s only been 7 months. i can’t wait to see who he becomes. sleep has been difficult for us (and him) at times. we’re adjusting, as all new parents do.
like all parents, i’m struggling with balancing family, career, personal development, health and well-being, etc. i have all kinds of things i want to do to further my career, like learning new technology and languages, building distributed systems, and playing more with AWS. how do people with families do it? just getting out the door to get to work can be difficult many mornings. i try to work from home a bit in the morning before stopping at the office. my employer is definitely old-school, preferring staff to be in the building from 8:30 - 5 every day. anyway, i’m finding it difficult to work toward my goal of getting more proficient in things that will allow me to join a distributed/remote team someday. just gotta keep plugging away…
i’m currently reading Seven Languages in Seven Weeks, among other things, and hoping it spurs me to jump into some other directions.
by the way, is there a #dadops irc channel? there probably should be.
updating the previous post, i checked out apple’s separate flashback malware remover released yesterday. the release notes say it requires 10.7 and recommends installing on machines without java installed. does this malware even work without java installed?
installing it on my 10.7.3 test box didn’t do much. since it’s not infected, it looks like the behavior is exactly the same as the bundled payload in the java security pkg. it installs, checks, then remove its components if there’s nothing to do. there are a few log entries that show its check status and a reference to xpchelper, which is part of apple’s xprotect that’s supposed to deal with malware.
looks like this is all they want the removal tool to do. it won’t run as a service, instead doing a one-time scan before committing hara kiri.
after all the media coverage of the recent flashback malware on os x, apple released anotherjava update yesterday that includes a “removal tool.”
there wasn’t much mention of what the removal tool does in the release notes. how do you use it? what does it do?
on two test machines, running 10.6.8 and 10.7.3, respectively, i installed the latest java update. the receipts db shows that a pkg with id com.apple.pkg.JavaSecurity was installed. checking the flat package contents, it’s part of the payload.
here’s what’s installed:
great. let’s check out /usr/libexec/MRT to see what that does. hey, it’s not there… i checked the paths specified in the payload, but none of it was to be found.
hmmm…
both test machines showed the same behavior: installed the pkg but left no trace of the binaries.
the launchagent installed calls the MRTAgent.app under CoreServices.
similarly, the launchdaemon calls /usr/libexec/MRT.
the pkg postflight looks sort of crude:
so it unloads, then loads the launchd jobs. fine so far, i guess.
a very unscientific scan through the MRT binary with strings provides some idea of what it’s looking for, at least. it has some reference to at least two variants of flashback; appears to check safari, chrome, and firefox (but not other browsers); and looks through system and user homedirs.
since it apparently removed itself on my systems, i rsynced the files into place, reloaded the daemon and agent, and tried manually running MRT. as soon as i did that, all the components were gone. so this is the intended behavior?
i’m guessing that on infected machines, it will do some type of removal before removing these components. it seems that apple assumes you’ve installed the java update, so the vulnerability is fixed, and there’s no need for the removal tools any more.
if that’s the case, apple should clarify this is the intended behavior in the release notes. i know some people have been looking to this update to provide some type of useful malware removal and prevention utility, which doesn’t appear to be the case.
am i missing something here? have any of you seen different results?
i started compiling some common routines for mac admin tasks in a ruby library here. if it’s useful to you, or you have suggestions, let me know. it’s just a class right now, but i’ll probably turn it into a module. if you’re already using some other type of configurationmanagement (and you should be), most of this may not matter. my main goal is to write something useful, practice writing more ruby, and to avoid sitting in the bike shed too much. i may have failed on the last point…
the other night, gary tweeted about a puppet/os x 10.7 password bug i started looking at awhile back.
it’s good practice. i’ve been less focused on ruby lately than i’d like, and as @lusis says: “always be hacking.”
here’s some notes from gary on the problem:
and here’s a bit of what i worked out so far:
i always enjoy collaborating with people across the ‘tubes. there’s no real point to this post; just jotting down some thoughts while waiting for some processes to finish.
following up the previous post, i have a working agent uploaded. so far, it doesn’t do too much.
i also sort of take back the gripe about agent documentation. i see now there’s some facility for including usage statements, though i’ve only seen them in application files, not agents. need to check the docs again…
next up is getting a handle on input and output syntax and doing more interesting things. i intend to gear the macutil agent toward common os x specific tasks one might want to perform, but as i’m running through a pile of utility scripts, it’s pretty obvious that so much of these one-off shell/ruby/python/whatever scripts are reactionary. there are many places where proper configuration management tools and processes are a more appropriate fit.
yesterday’s afternoon activities included messing with mcollective agents. i’m working on an agent that provides a lot of the same one-off, scripted checks that i’ve written in the past for os x clients. it should be somewhat useful, i hope.
i’ll be sure to commit whatever working pieces soon.
one of my minor annoyances with the mcollective documentation (which is generally good) is that it skips some of the really basic things, like how to invoke an agent from the command line. for instance, it’s helpful to provide examples of how to pass arguments, like so:
i’ll add examples for how to call agents either in the ddl or agent code itself. seeing examples in the ddl via the built in help would be nice, though.
after a long hiatus, i’m starting a new blog using octopress. my old blog was built using hobix, which has been abandoned for a few years now. after why disappeared, there hasn’t been much development with hobix. i also haven’t had the time or inclination to fix the things that are broken with my install.
so we’ll see how this goes. twitter has replaced regular blogging for most people i know.
i have a couple of other blogs out there that get sporadic updates. i’ll link to those, as well.