Palo Alto Networks Knowledgebase: How To Configure Mac Plist/Process For HipMatch
How To Configure Mac Plist/Process For HipMatch
Created On 02/07/19 23:39 PM - Last Updated 02/07/19 23:40 PM
This will provide steps required in order to HIP Match HIP objects containing Mac OS plists and/or processes. Keep in mind the main caveats in that the MAC GP client can only check 'application' plists from either /Library/Preferences or ~/Library/Preferences where ~ is the current user's home directory. Also, the GP MAC client can only check the "String" or "Number" type values within the application plist. In addition, when defining the plist for MACs, please do not specify the full path.
As noted in this example, to check ~/Library/Preferences/com.apple.finder.plist, you'll simply need to specify "com.apple.finder." The GP MAC client will append ".plist" and first check whether the file "com.apple.finder.plist" exists in /Library/Preferences. If the file, however, does not exist in the system preference folder (i.e. /Library/Preferences), the GP client will call OSX API to enumerate the application plist which includes those plist files under user's ~/Library/Preferences folder. Admins cannot just specify arbitrary plist files similar to "/Users/user1/Library/Safari/Bookmarks.plist." This is a current limitation of the GP client for MACs related to the plist.
Test bed utilized the following:
Mac OS 10.8.5
Create the HIP Object specifying the plist/process. In this example, I'm using the application plist called 'com.apple.finder.' I used xcode to obtain the Key ("GoToField" and Value ("~/Library/Preferences) for the plist respectively.
However, in testing this out, we'll need to utilize what the Host is actually extrapolating as shown in the second screen shot. The MAC GP client is reporting '/Users/user1/Library/Preferences' value which is missing the '/' after Preferences. This is what we'll configure on the HIP Object as a result.