macos-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinesemacos-security
macOS安全防护
Purpose
用途
This skill enables the AI agent to manage macOS security features, including XProtect for malware detection, MRT for removal, TCC for privacy permissions, quarantine attributes, code signing validation, and security audits. Use it to harden macOS systems against threats and ensure compliance.
该技能支持AI Agent管理macOS安全功能,包括用于恶意软件检测的XProtect、用于威胁清除的MRT、用于隐私权限管控的TCC、隔离属性、代码签名验证以及安全审计。可通过它强化macOS系统的威胁防御能力,确保合规性。
When to Use
适用场景
Apply this skill during system hardening routines, app deployment checks, privacy audits, or malware scans. Use it for new macOS setups, software installations, or when troubleshooting security issues like unauthorized app access or unsigned binaries.
可在系统加固流程、应用部署检查、隐私审计或恶意软件扫描时使用该技能。适用于全新macOS系统配置、软件安装,或排查未授权应用访问、无签名二进制文件等安全问题的场景。
Key Capabilities
核心能力
- Detect malware via XProtect by querying the latest definitions and scanning files.
- Run MRT to remove known threats from the system.
- Manage TCC permissions to control app access to sensitive data like camera or contacts.
- Inspect and remove quarantine flags on downloaded files to allow execution.
- Validate code signing for apps to ensure they are from trusted developers.
- Perform security audits using system logs to identify potential breaches.
- 通过查询最新病毒库并扫描文件,借助XProtect检测恶意软件。
- 运行MRT清除系统中的已知威胁。
- 管理TCC权限,控制应用对摄像头、通讯录等敏感数据的访问权限。
- 检查并移除下载文件的隔离标记,允许其执行。
- 验证应用的代码签名,确保其来自可信开发者。
- 通过系统日志执行安全审计,识别潜在的入侵行为。
Usage Patterns
使用模式
Invoke this skill in scripts for automated hardening, e.g., during VM provisioning or CI/CD pipelines for macOS apps. Use it reactively for incident response or proactively in scheduled tasks. For AI agents, call it via function wrappers that handle macOS-specific commands, ensuring elevated privileges with where needed. Pattern: Check security status first, then apply fixes.
sudo可在自动化加固脚本中调用该技能,例如在虚拟机配置过程中,或macOS应用的CI/CD流水线中。可用于事件响应的被动处理,也可作为定时任务主动执行。对于AI Agent,可通过封装macOS特定命令的函数调用它,确保在需要时使用获取提升权限。使用模式:先检查安全状态,再应用修复措施。
sudoCommon Commands/API
常用命令/API
Use these macOS CLI commands for security tasks. All require admin privileges; check for errors via exit codes.
- XProtect scan: Use to check for updates, then
softwareupdate --list(via internal tools). Example snippet:xprotect scan /path/to/filesystem("softwareupdate --list"); if (exit_code != 0) { handle_error("Update check failed"); } - MRT removal: Run to trigger malware removal. Example snippet:
/usr/libexec/MRTConfigData removesystem("/usr/libexec/MRTConfigData remove"); print("MRT executed; check logs for results."); - TCC permissions: Use to reset or
tccutil reset <service> <app>to grant. Example:tccutil set <service> <app> allowfor camera access.tccutil set Camera com.example.app allow - Quarantine handling: Check with and remove via
xattr -l /path/to/file. Example snippet:xattr -d com.apple.quarantine /path/to/filexattr -l /path/to/file; if (grep("com.apple.quarantine")) { system("xattr -d com.apple.quarantine /path/to/file"); } - Code signing validation: Run to check signatures. Example:
codesign -vvv --verify --strict /path/to/appfor detailed verification.codesign -dvvv /Applications/MyApp.app - Security audit: Query logs with . Config format: Use predicates in
log show --predicate 'subsystem == "com.apple.securityd"' --last 1hcommand for filtering, e.g., JSON output vialog.--style json
If API keys are needed (e.g., for third-party security tools), use env vars like in scripts: .
$SECURITY_API_KEYcurl -H "Authorization: Bearer $SECURITY_API_KEY" https://api.example.com/scan使用以下macOS CLI命令执行安全任务。所有命令均需要管理员权限;可通过退出码检查错误。
- XProtect扫描:使用检查更新,然后通过内部工具执行
softwareupdate --list。 示例代码片段:xprotect scan /path/to/filesystem("softwareupdate --list"); if (exit_code != 0) { handle_error("Update check failed"); } - MRT威胁清除:运行触发恶意软件清除。 示例代码片段:
/usr/libexec/MRTConfigData removesystem("/usr/libexec/MRTConfigData remove"); print("MRT executed; check logs for results."); - TCC权限管理:使用重置权限,或使用
tccutil reset <service> <app>授予权限。 示例:tccutil set <service> <app> allow用于授予摄像头访问权限。tccutil set Camera com.example.app allow - 隔离机制处理:使用检查隔离标记,通过
xattr -l /path/to/file移除标记。 示例代码片段:xattr -d com.apple.quarantine /path/to/filexattr -l /path/to/file; if (grep("com.apple.quarantine")) { system("xattr -d com.apple.quarantine /path/to/file"); } - 代码签名验证:运行检查签名。 示例:
codesign -vvv --verify --strict /path/to/app用于详细验证。codesign -dvvv /Applications/MyApp.app - 安全审计:使用查询日志。 配置格式:在
log show --predicate 'subsystem == "com.apple.securityd"' --last 1h命令中使用谓词进行过滤,例如通过log输出JSON格式。--style json
如果需要API密钥(例如第三方安全工具),可在脚本中使用环境变量如:。
$SECURITY_API_KEYcurl -H "Authorization: Bearer $SECURITY_API_KEY" https://api.example.com/scanIntegration Notes
集成说明
Integrate by wrapping commands in AI agent functions, e.g., use Python's subprocess to call . For automation, combine with tools like Jamf or MDM APIs. Ensure the agent runs with sufficient privileges; use for user prompts if needed. Config files like can be edited for TCC policies, but back them up first. Test integrations in a sandboxed macOS environment to avoid disruptions.
tccutilosascript/etc/authorization可通过将命令封装到AI Agent函数中实现集成,例如使用Python的subprocess调用。对于自动化场景,可与Jamf或MDM API结合使用。确保Agent拥有足够的权限;必要时使用发起用户提示。可编辑等配置文件修改TCC策略,但修改前请先备份。在沙箱化的macOS环境中测试集成,避免造成系统中断。
tccutilosascript/etc/authorizationError Handling
错误处理
Always check command exit codes; for example, if returns non-zero, log the error and suggest re-signing. Parse outputs for specific strings, e.g., if fails with "Access denied", prompt for admin elevation. Use try-catch in scripts:
codesigntccutiltry {
system("tccutil set Camera com.example.app allow");
} catch (e) {
if (e.includes("permission")) { system("sudo -u root tccutil set Camera com.example.app allow"); }
}Common errors: Permission issues (use ), file not found (verify paths), or outdated XProtect (run updates first). Log all errors to for auditing.
sudo/var/log/securityd.log始终检查命令的退出码;例如,如果返回非零值,记录错误并建议重新签名。解析输出中的特定字符串,例如如果返回“Access denied”,提示获取管理员权限。在脚本中使用try-catch块:
codesigntccutiltry {
system("tccutil set Camera com.example.app allow");
} catch (e) {
if (e.includes("permission")) { system("sudo -u root tccutil set Camera com.example.app allow"); }
}常见错误:权限问题(使用解决)、文件未找到(验证路径)、XProtect版本过时(先执行更新)。将所有错误记录到以便审计。
sudo/var/log/securityd.logConcrete Usage Examples
具体使用示例
-
Malware Scan and Removal: To scan a suspicious file and remove threats:
- First, update XProtect: .
softwareupdate --install --all - Then run MRT: .
system("/usr/libexec/MRTConfigData remove") - Verify: . This ensures the system is cleaned; handle errors by checking if MRT is available.
log show --predicate 'eventMessage contains "MRT"'
- First, update XProtect:
-
TCC Permission Management for an App: To grant camera access to a new app:
- Check current status: .
tccutil reset Camera com.example.app - Grant permission: .
tccutil set Camera com.example.app allow - Test: Run the app and confirm access.
If errors occur, use and log the action for auditing.
sudo
- Check current status:
-
恶意软件扫描与清除:扫描可疑文件并清除威胁:
- 首先,更新XProtect:.
softwareupdate --install --all - 然后运行MRT:.
system("/usr/libexec/MRTConfigData remove") - 验证:. 此流程可确保系统被清理;通过检查MRT是否可用处理错误。
log show --predicate 'eventMessage contains "MRT"'
- 首先,更新XProtect:
-
应用TCC权限管理:为新应用授予摄像头访问权限:
- 检查当前状态:.
tccutil reset Camera com.example.app - 授予权限:.
tccutil set Camera com.example.app allow - 测试:运行应用并确认访问权限。
如果出现错误,使用执行并记录操作以便审计。
sudo
- 检查当前状态:
Graph Relationships
关联关系
- Related to: macos-filesystem (for handling quarantined files)
- Depends on: macos-networking (for security audits involving network logs)
- Conflicts with: none
- Used by: general-security (as a subsystem for macOS-specific hardening)
- 关联:macos-filesystem(用于处理隔离文件)
- 依赖:macos-networking(用于涉及网络日志的安全审计)
- 冲突:无
- 被使用:general-security(作为macOS特定加固的子系统)