Updates keep overriding ssh security settings

I don't know if launchd is running during an install or not. But I know that the OS is busy doing its install thing and isn't going to be notifying the user.

There might be a number of such scripts floating around on the internet. One example is OSXRipper (https://github.com/bolodev/osxripper). Another example is DetectX (https://sqwarq.com/detectx/). I haven't tried either.

This is primarily a user-to-user support site, so Apple does not accept suggestions here.

To contact Apple use the Contact Support link above. For product suggestions, use https://www.apple.com/feedback/

I did give this a little more thought, I'd make a simple sqlite or even plain text DB of hashes for the configs that matter to you. Keeping duplicate configs is messy now I think about it.

If the update changes a file the hash will change. It should be a little easier to manage. Just a script to update hashes in a db & the job to check at boot.

It could be a simple 'for each line check the hash' job.

You could use shasum in bulk…

shasum /path/config > test.txt

shasum /path/config2 >> test.txt

# to verify

shasum -c test.txt

/path/config1: OK

/path/config2: FAILED

Set it up to mail you if you want to avoid login issues, a system wide launchd job will send no matter who starts up a Mac.

I don't know anything about it but from the name I'd expect the built in audit system to be useful here but I can't really see how to configure it, it is discussed around the web a few times…

File Auditing (auditd?) Question

http://www.netsq.com/Tools/AuditExplorer/(app now defunct)

Hugh_Gibbons wrote:

Why isn't Apple's First Rule of Updates, "Don't mess with a user's custom configuration but if you really must (don't) but if you do, tell them what you changed?"

Sadly Apple's first rule overrides it…

"Apple knows better than users."

This has been happening since 2010?

I don't recall this happening & I have similar edits to /etc/sshd_config & have done so for years.

'pkgutil' will list what the receipts say about installers that ran. In Terminal, see what installed & edited your sshd binary (check your sshd path first with locate or whereis)…

pkgutil -v --file-info /usr/sbin/sshd

… shows list of packages

Now repeat for /etc/sshd_config

pkgutil --file-info /etc/sshd_config

… I get no packages listed, how about you?

You can also see the files in any of the packages that were listed

pkgutil -v --files com.apple.pkg.BaseSystemBinaries | grep etc

I don't doubt it happens I have had other configs squashed by updates. I'd investigate creating a watch path for your config file - launchd can mail you or notify you of changes. It's a pain but getting notified early is better than nothing I guess.

Hugh_Gibbons wrote:

Not really sure they'd consider this a bug, but it's definitely not how you want an updater to work. It should leave settings alone where they don't present a problem with the new version of the system.

Hello again Hugh_Gibbons,

Maybe it would be an enhancement request then. But the OS is doing something you don't like, so you have the right to complain about it.

I have an ulterior motive too. Apple is not consistent when dealing with these configuration files. One of my pet peeves is the sudoers file. Malware and "clean up" software like to edit that file to give themselves root privileges without having to ask the user every time or take other safe precautions. But as soon as that file is modified, Apple software updates will never update it again, persisting those back doors for all future updates. Yet when you update sshd_config to make it more secure, your changes get blown away.

Obviously if things are different on your OS you change them. I tested on an earlier OS which I was on at the time, I should have been clear about that, sorry. The first command lists relevant packages if you give it the location you are interested in.

pkgutil will only allow you to see which updates changed things - if security updates repeatedly alter it you know that you need to be wary of them. Otherwise just make a list & pass it on to Apple so they can at least confirm without having to hunt for evidence.

There is an example for a launchd watchpath in this stack overflow page…

http://stackoverflow.com/questions/1515730/is-there-a-command-like-watch-or-inot ifywait-on-the-mac

If you install something like terminal notifier you could get notified instead of just a log message.

Also see the manual if you do create one…

man launchd.plist

I doubt any notification process is going to work for system files. Those get overridden during restart, while all the launchd scripts aren't running. I'm sure you could write scripts to automate much of the work, but you would have to manually initiate them after each OS or security update.

I'm not clear on how launchd is not running during install as it is the first process started from the kernel, however you probably know more about it than me 🙂

To get around that issue I'd consider making a script to diff the config against a copy of the edited config to notify on boot (or check daily etc). It's a pain but Apple repeatedly alter configs that they install.

I suspect there are tools that already monitor files for auditing that could be bent into notifying when any configs change. I wonder if the audit daemonhas the ability to do that?

I guess another option is to install ssh & use it instead of Apples version.

@Hugh_Gibbons, FWIW pkgutil doesn't follow symlinks so /private needs to be included…

$ pkgutil -v --file-info /private/etc/ssh/sshd_config

com.apple.pkg.Essentials is where it originates on 10.12 and 10.12.4 updated it on my Mac.

Hello Hugh_Gibbons,

An even better place would be the Apple bug reporter: https://bugreport.apple.com

Do they get set exactly as you have shown here, with the # sign commenting out the line so that they have no effect at all?