10 Terminal Commands Every Mac User Should Know for Security

The first time I opened Terminal on my Mac, I was genuinely terrified I'd break something. Fast forward a few years, and I'm running commands daily to check system security, monitor network connections, and dig into processes that Activity Monitor doesn't show me clearly enough.

When I was testing CoreLock's process scanner, I learned more about macOS internals in three months than I did in years of using a Mac. The system is way more complex under the hood than most people realize. But here's the thing: you don't need to become a command-line wizard to use Terminal for basic security checks.

These ten commands have become part of my regular Mac security routine. Some I run weekly, others only when something feels off. I'll show you exactly what each one does and why it matters for keeping your Mac secure.

Check What's Connected to the Internet

sudo lsof -i

This command shows every process on your Mac that's currently using network connections. The lsof stands for "list open files," but in Unix-land, network connections are treated like files.

When you run this, you'll see a bunch of output that might look intimidating at first. Each line shows a process name, its process ID (PID), the user running it, and what network connection it's using. Look for anything unexpected.

I run this whenever my Mac feels sluggish or my network activity seems higher than normal. Last month, it helped me spot a browser extension that was making suspicious connections to servers I didn't recognize.

The sudo part means you're running this with administrator privileges, which lets you see network connections from all users and system processes. Without it, you'd only see your own user's connections.

See All Network Connections and Listening Ports

netstat -an

While lsof -i shows active connections tied to specific processes, netstat -an gives you a broader view of your Mac's network state. It lists all network connections and ports that are listening for incoming connections.

The -a flag shows all connections (active and listening), and -n displays addresses and port numbers numerically instead of trying to resolve them to names. This makes the output faster and often more useful for security checking.

Pay attention to anything listening on unusual ports or connections to IP addresses you don't recognize. Most of what you'll see is normal system stuff, but occasionally you'll spot something worth investigating further.

Honestly, this one takes some practice to interpret. The output format isn't exactly user-friendly. But once you get familiar with what normal looks like on your system, anomalies stand out pretty clearly.

List All User Accounts

dscl . list /Users

This command queries the Directory Service to show every user account on your Mac. On a personal Mac, you should typically see your main account, maybe a guest account, and several system accounts like _spotlight and daemon.

The scary thing is that malware sometimes creates hidden user accounts to maintain persistence on your system. I've seen cases where attackers create accounts with names that look like system accounts but aren't quite right.

Look for any usernames you don't recognize or accounts that seem suspicious. System accounts usually start with underscores or have obvious system-related names. Your personal accounts should be ones you remember creating.

From what I've seen, this is one of the checks that catches things other tools miss. When I was building CoreLock's user account monitoring, I found test systems with accounts I'd completely forgotten about – some legitimate, others not so much.

Check Recent Login History

last

Simple command, powerful results. This shows you a history of user logins and system reboots on your Mac. Each line includes the username, terminal or console used, login time, and logout time.

If you see login sessions you don't remember, especially from remote locations or at odd hours, that's worth investigating. The command shows both successful logins and system shutdowns/reboots, so you can spot patterns.

I check this whenever I'm troubleshooting security issues or just want to verify that no one else has been using my Mac. It's particularly useful if you share your computer with family members and want to see usage patterns.

The output goes back several months typically, depending on your system's log rotation settings. You can also use last username to see login history for a specific user account.

Search System Logs for Security Events

log show --predicate 'category == "security"' --last 1d

macOS keeps extensive logs of system events, and this command filters them to show security-related entries from the last day. You can change 1d to 1h for the last hour or 1w for the last week.

The output includes authentication attempts, Gatekeeper decisions, keychain access, and other security-relevant events. It's particularly useful for investigating suspicious activity or understanding what happened during a security incident.

To be fair, the log output can be overwhelming. macOS logs *everything*, and parsing through it takes practice. But when you need to track down what happened and when, these logs are invaluable.

You can also search for specific terms with --predicate 'message CONTAINS "failed"' to look for failed authentication attempts or other error conditions.

Check System Integrity Protection Status

csrutil status

System Integrity Protection (SIP) is one of macOS's most important security features. It prevents modification of critical system files and directories, even by processes running with root privileges.

This command tells you whether SIP is enabled or disabled. On a properly secured Mac, it should show "System Integrity Protection status: enabled." If it shows disabled, that's a red flag – either you disabled it intentionally for development work, or something else did.

I've seen malware that attempts to disable SIP to gain deeper system access. While disabling SIP requires physical access and a restart into Recovery Mode, it's worth checking if you suspect your system has been compromised.

Some legitimate software (particularly development tools) might ask you to disable SIP, but think carefully before doing so. It's one of your Mac's strongest security layers.

Verify Gatekeeper Status

spctl --status

Gatekeeper is the system that checks downloaded applications against Apple's security policies before they can run. This command shows whether it's enabled or disabled.

You should see "assessments enabled" on a secure system. If Gatekeeper is disabled, your Mac will run any application without checking if it's signed by a known developer or distributed through the App Store.

Sometimes people disable Gatekeeper to run unsigned software, which I get – development work often requires this. But leaving it disabled permanently isn't great for security. You can enable it again with sudo spctl --master-enable.

Here's where it gets interesting though: even with Gatekeeper enabled, you can still run unsigned software by right-clicking and choosing "Open" the first time. This gives you control while maintaining the security benefit for most applications.

List All Running Services

sudo launchctl list

Launch daemons and agents are background processes that start automatically on your Mac. This command lists all of them, including system services and third-party software that runs in the background.

Each line shows a process ID (if it's currently running), the last exit status, and the service label. Look for services you don't recognize or that seem suspicious.

The tricky part is that many legitimate services have cryptic names. System services often have labels like com.apple.something, while third-party software typically uses reverse domain notation like com.company.productname.

This is actually one of the things we built CoreLock to handle more elegantly. Manually reviewing hundreds of launch services gets tedious, and it's easy to miss something important buried in the list.

Read Application Preferences and Settings

defaults read com.apple.screensaver
defaults read ~/Library/Preferences/com.apple.screensaver.plist

The defaults command lets you read and modify preference files for macOS applications and system settings. Every app stores its preferences in these .plist files, and sometimes examining them reveals interesting security information.

You can replace com.apple.screensaver with any application's bundle identifier to see its stored preferences. This is useful for understanding what settings an application has changed or for detecting modifications made by malware.

For example, defaults read com.apple.loginwindow shows login window settings, while defaults read com.apple.Safari reveals Safari's current configuration. Some malware modifies browser settings through these files rather than through the UI.

I might be wrong about this, but I think reading these files manually gives you insights that GUI security tools sometimes miss. The preference files contain the raw truth about how your applications are configured.

Get Detailed File Information

mdls /Applications/TextEdit.app
mdls ~/Downloads/suspicious-file.dmg

The mdls command displays all metadata that Spotlight has indexed for a file or application. This includes creation dates, download sources, code signatures, and other security-relevant information.

For applications, you'll see the developer certificate information, bundle identifier, and version details. For downloaded files, you can see the original download URL and when the file was quarantined by Gatekeeper.

This is particularly useful when investigating suspicious files. The kMDItemWhereFroms attribute shows where a file was downloaded from, while kMDItemDateAdded shows when it appeared on your system.

Here's the thing though: this metadata can be stripped or spoofed, so don't rely on it as your only source of truth. It's one data point among many when evaluating file safety.

Building Your Security Routine

I always tell people: before you install any security tool, learn to use Activity Monitor. It won't catch everything, but it teaches you what "normal" looks like on your machine – and that's half the battle. These Terminal commands take that concept further.

Start with the basics. Run sudo lsof -i and netstat -an to get familiar with your Mac's normal network activity. Check csrutil status and spctl --status to make sure your core security features are enabled.

The terminal isn't scary once you get past the initial learning curve. I wrote my first security script in about 20 minutes, and it caught something that a paid antivirus missed completely. These commands are building blocks for understanding your system better.

To be fair, this is probably overkill for most people. If you just browse the web, check email, and use standard applications, you might never need these commands. But if you're dealing with malware issues or want to understand your Mac's security posture better, they're invaluable.

When Commands Aren't Enough

While these commands give you deep insight into your Mac's security state, manually running them regularly gets tedious. That's where automation comes in handy – either through simple shell scripts or dedicated security tools that monitor these things continuously.

The key is understanding what these commands show you, even if you eventually automate the checking. When something goes wrong, you'll know how to investigate manually and understand what the automated tools are actually doing behind the scenes.

Remember that security isn't just about running commands – it's about building habits and understanding your system well enough to notice when something's off. These Terminal commands are powerful tools for developing that understanding.