cmdReporter Wiki

Uninstalling cmdReporter

The following script will uninstall cmdReporter and return the /etc/security/audit_control file to it's original state.

#!/bin/bash

GUI_USER=$(who | grep console | grep -v '_mbsetupuser' | awk '{print $1}')
GUI_UID=$(id -u "$GUI_USER")

# LaunchDaemon
/bin/launchctl unload "/Library/LaunchDaemons/com.cmdsec.cmdReporter.plist"
/bin/rm "/Library/LaunchDaemons/com.cmdsec.cmdReporter.plist"

/bin/launchctl bootout "gui/$GUI_UID" "/Library/LaunchAgents/com.cmdsec.cmdReporterHelper.plist"
/bin/rm "/Library/LaunchAgents/com.cmdsec.cmdReporterHelper.plist"

# Double check proc killed
/usr/bin/killall cmdReporter
/usr/bin/killall cmdReporterHelper

# Binary
/bin/rm -f /usr/local/bin/cmdReporter
/bin/rm -f /usr/local/bin/cmdReporterHelper

# Logs
/bin/rm -f /var/log/cmdReporter.*

# Restore audit_control file
if [[ -e /etc/security/audit_control.backup ]]; then
  # Change audit control file back to values before cmdReporter install
  /bin/rm /etc/security/audit_control
  /bin/mv /etc/security/audit_control.backup /etc/security/audit_control

  # Reload the audit config
  /usr/sbin/audit -s
else
  # Add arge to flags for env information in logs
  /usr/bin/sed -i .backup 's|policy:cnt,argv,arge|policy:cnt,argv|' /etc/security/audit_control
  # Reload the audit config
  /usr/sbin/audit -s
fi


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.