macos-artifacts 0.6.2 → 0.6.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7feb1e41e9f2850f24e4d73a0c4ba4f2d82de33ea6df5bbeb2fd808b5d674239
-  data.tar.gz: 805ed33d8952f4c1194631ff05a204aef5b2c86db5e99199e72dd2e26d91ed3d
+  metadata.gz: f1ddf4c188e1d94cc14f5329bd1abb165a1364e0b270b394b4565e46a3861b75
+  data.tar.gz: 6cc605f5a9c737f23db1f52ed4e3bd09a271931f78e7607e7d8dff1032feaf8d
 SHA512:
-  metadata.gz: dea8017fa8709d8da75402bd76ee5cf1161192d23703c06f4c52f0eca8d7e73906cca66e3322dea7f423f7347c4e4d682da212ccf7777902f5637fd907bb2a1f
-  data.tar.gz: 8e44c1aaad14972586b11d4ea386b28fd09ca60771bd525ea817eaebb5302770e601b6593f7448937daa3389aa4bf6233c3092e9dd969c88d2e7b36d73cc9f14
+  metadata.gz: 27c015884b1a648d4cd1ef28d81e04824cdc40e3577a4f73cb1c2941214c57b05bedad3afd34cc4cbc05518ab4fee9f35b907c55547594c23bb817614ed58a51
+  data.tar.gz: 9ef5208b23c47e2cb5863efda227792e68279c0c047b1ab20bb0149b0c691b444845e8f440e56f8e9b52632fbbe55d9c87c5d8bb0e668e1281216a0ac43debc1

data/CHANGELOG.md

@@ -1,6 +1,20 @@
 # Change Log
 
 
+---
+## version 0.6.4
+- Add:  airdrop activity for the last 7 days shows timestamps. Macos::Artifacts::airDrop
+- Add: applications installed in current users account. Macos::Artifacts::Apps::userInstalledApplications
+- Fixed: IO error with Macos::Artifacts::Apps::applications when plist file didn't exist
+- Fixed: IO error with Macos::Artifacts::Files::systemLaunchAgents when is a symlink or doesn't exist
+
+
+---
+## version 0.6.3
+- Update: minor syntax change for System Extensions
+- Fixed: error with Apps::InstallHistory US-ASCII error
+
+
 ---
 ## version 0.6.2
 - Fixed: workaround for listing files in user directory where listing items in the .Trash resulted in an error

data/README.md

@@ -8,7 +8,7 @@ Output is simple text making it able to be scraped up by an MDM or EDR solution
 ---
 ## Installation:
 
-`sudp gem install macos-artifacts`
+`sudo gem install macos-artifacts`
 
 ---
 ## Usage:
@@ -16,6 +16,8 @@ Output is simple text making it able to be scraped up by an MDM or EDR solution
 `require 'macos/artifacts'`
 
 ```ruby
+Macos::Artifacts::Help::options
+
 Macos::Artifacts::computerName
 Macos::Artifacts::serial
 Macos::Artifacts::version
@@ -35,6 +37,14 @@ Macos::Artifacts::firewallStatus
 Macos::Artifacts::screenlockStatus
 Macos::Artifacts::lockStatus
 Macos::Artifacts::softwareUpdates
+Macos::Artifacts::airDrop
+
+Macos::Artifacts::Apps::applications
+Macos::Artifacts::Apps::packagesReceipts
+Macos::Artifacts::Apps::installHistory
+Macos::Artifacts::Apps::appInstallLocations
+Macos::Artifacts::Apps::userInstalledApplications
+
 Macos::Artifacts::Files::systemLaunchAgents
 Macos::Artifacts::Files::systemLaunchDaemons
 Macos::Artifacts::Files::userLaunchAgents
@@ -44,12 +54,22 @@ Macos::Artifacts::Files::userApplicationSupport
 Macos::Artifacts::Files::libraryPreferences
 Macos::Artifacts::Files::userLibraryPreferences
 Macos::Artifacts::Files::cronTabs
+
 Macos::Artifacts::Files::etcHosts
+Macos::Artifacts::Files::usrLocal
+Macos::Artifacts::Files::usrLocalBin
+Macos::Artifacts::Files::usrLocalSbin
+Macos::Artifacts::Files::usersShared
+Macos::Artifacts::Files::privateTmp
+Macos::Artifacts::Files::scriptInstallLocations
+
 Macos::Artifacts::State::users
 Macos::Artifacts::State::adminUsers
 Macos::Artifacts::State::systemExtensions
 Macos::Artifacts::State::processCPU
 Macos::Artifacts::State::processMemory
+Macos::Artifacts::State::openNetworkConnections
+Macos::Artifacts::State::networkInterfaces
 ```
 
 

data/lib/macos/artifacts/apps.rb

@@ -1,5 +1,9 @@
 # frozen_string_literal: true
 
+require 'json'
+require 'date'
+$currentUser = ENV['USER'] 
+
 module Macos
   module Artifacts
     module Apps
@@ -8,35 +12,39 @@ module Macos
         $applicationsDirectory = Dir.entries("#{$applicationsPath}")
         puts "Applications Folder:"
         $applicationsDirectory.sort!.each do  | filename |
-          if ! filename.start_with?(".")
+            if ! filename.start_with?(".")
             if File.extname(filename) == ".app"
-              plist = CFPropertyList::List.new(:file => "#{$applicationsPath}/#{filename}/Contents/Info.plist")
-              data = CFPropertyList.native_types(plist.value)
-              data.each do |k,v|
-                if k == "CFBundleShortVersionString"
-                  puts "  #{$applicationsPath}/#{filename}: #{v}"
+                plistfile = "#{$applicationsPath}/#{filename}/Contents/Info.plist"
+                if File.exist?("#{plistfile}")
+                    plist = CFPropertyList::List.new(:file => "#{$applicationsPath}/#{filename}/Contents/Info.plist")
+                    data = CFPropertyList.native_types(plist.value)
+                    data.each do |k,v|
+                        if k == "CFBundleShortVersionString"
+                            puts "  #{$applicationsPath}/#{filename}: #{v}"
+                        end
+                    end
                 end
-              end
+    
             else
-              if File.directory?("#{$applicationsPath}/#{filename}")
+                if File.directory?("#{$applicationsPath}/#{filename}")
                 puts "  #{$applicationsPath}/#{filename}:"
                 subpath =  Dir.entries("#{$applicationsPath}/#{filename}")
                 subpath.each do |subdirapp|
-                  if ! subdirapp.start_with?(".")
+                    if ! subdirapp.start_with?(".")
                     if File.extname(subdirapp) == ".app"
-                      plist = CFPropertyList::List.new(:file => "#{$applicationsPath}/#{filename}/#{subdirapp}/Contents/Info.plist")
-                      data = CFPropertyList.native_types(plist.value)
-                      data.each do |k,v|
+                        plist = CFPropertyList::List.new(:file => "#{$applicationsPath}/#{filename}/#{subdirapp}/Contents/Info.plist")
+                        data = CFPropertyList.native_types(plist.value)
+                        data.each do |k,v|
                         if k == "CFBundleShortVersionString"
-                          puts "    #{$applicationsPath}/#{filename}/#{subdirapp}: #{v}"
+                            puts "    #{$applicationsPath}/#{filename}/#{subdirapp}: #{v}"
+                        end
                         end
-                      end
                     end
-                  end
+                    end
+                end
                 end
-              end
             end
-          end
+            end
         end
       end
 
@@ -51,23 +59,22 @@ module Macos
       end
 
       def self.installHistory
-        history = `system_profiler SPInstallHistoryDataType `.split("\n")
-        history.shift
-        history.shift
-        puts "Application Install History:"
-        history.each do |item|
-          item = item.strip
-          if ! item.empty?
-            if item.start_with?(/^Version:/)
-              puts "    #{item}"
-            elsif item.start_with?(/^Source:/)
-              puts "    #{item}"
-            elsif item.start_with?(/^Install Date:/)
-              puts "    #{item}"
-            else
-              puts "  #{item}"
-            end
-          end
+        time =  DateTime.now
+        installs = `system_profiler -json SPInstallHistoryDataType`.strip
+        data = JSON.parse(installs)
+
+        puts "Software Install History:"
+        data["SPInstallHistoryDataType"].each do |item|
+            date = item["install_date"]
+            parsed_date = DateTime.parse(date)
+            installsDays =  (time - parsed_date).to_i
+          
+            puts "  Name: #{item["_name"]}"
+            puts "  Install Days: #{installsDays}"
+            puts "  Install Date: #{item["install_date"]}"
+            puts "  Version: #{item["install_version"]}"
+            puts "  Install Source: #{item["package_source"]}"
+            puts ""
         end
       end
 
@@ -80,8 +87,15 @@ module Macos
           end
         end
       end
-      
 
+      def self.userInstalledApplications
+        history = `mdfind -onlyin /Users/"#{$currentUser}" 'kMDItemKind == "Application"'`.split("\n")
+        puts "User Installed Applications:"
+        history.each do |item|
+          puts "  #{item.strip}"
+        end
+      end
+  
     end
   end
 end

data/lib/macos/artifacts/files.rb

@@ -11,14 +11,27 @@ module Macos
         $launchAgentDir = Dir.entries("#{$systemLaunchAgentsPath}")
         puts "System Launchagents:"
         $launchAgentDir.each do  | filename |
-          if filename != "." && filename != ".."
-            puts "  #{$systemLaunchAgentsPath}/#{filename}"
-            plist = CFPropertyList::List.new(:file => "#{$systemLaunchAgentsPath}/#{filename}")
-            data = CFPropertyList.native_types(plist.value)
-            data.each do |k,v|
-              puts "    #{k}: #{v}"
+            if filename != "." && filename != ".."
+                puts "  #{$systemLaunchAgentsPath}/#{filename}"
+                plistPath = "#{$systemLaunchAgentsPath}/#{filename}"
+                if File.exist?("#{plistPath}")
+                    plist = CFPropertyList::List.new(:file => "#{$systemLaunchAgentsPath}/#{filename}")
+                    data = CFPropertyList.native_types(plist.value)
+                    data.each do |k,v|
+                        puts "    #{k}: #{v}"
+                    end
+                end
+                if File.symlink?("#{plistPath}")
+                    filename = File.readlink("#{plistPath}")
+                    if File.exist?("#{filename}")
+                        plist = CFPropertyList::List.new(:file => "#{$systemLaunchAgentsPath}/#{filename}")
+                        data = CFPropertyList.native_types(plist.value)
+                        data.each do |k,v|
+                            puts "    #{k}: #{v}"
+                        end
+                    end
+                end
             end
-          end
         end
       end
 

data/lib/macos/artifacts/help.rb

@@ -29,6 +29,7 @@ module Macos
         puts "  Macos::Artifacts::screenlockStatus                  checks screenlock status and time" 
         puts "  Macos::Artifacts::lockStatus                        returns Activation Lock Status"
         puts "  Macos::Artifacts::softwareUpdates                   returns machines softwareupate settings"
+        puts "  Macos::Artifacts::airDrop                           returns timestamps of successful airdrops in last 7 days"
         puts ""
         puts "Macos::Artifacts::Files Usage:"
         puts "  Macos::Artifacts::Files::systemLaunchAgents         list output of installed /Library/LaunchAgents"
@@ -62,6 +63,7 @@ module Macos
         puts "  Macos::Artifacts::Apps::packagesReceipts            outputs list of installed packages"
         puts "  Macos::Artifacts::Apps::installHistory              outputs history of installed apps"
         puts "  Macos::Artifacts::Apps::appInstallLocations         outputs list of appliction install paths"
+        puts "  Macos::Artifacts::Apps::userInstalledApplications   outputs list of applictions installed in current users account"
         puts ""
       end
     end

data/lib/macos/artifacts/state.rb

@@ -36,55 +36,66 @@ module Macos
         
         puts "System Extensions:"
         sysext.each do |line|
-      
+          
           if line.start_with?('---')
             line = line.split(" ")
-            puts "  Type: #{line[1]}"
+            $extType = line[1]
           elsif !line.start_with?("enabled")
             line = line.split(" ")
             if line[0] = "*"
-              puts "  Enabled: true"
+              extEnabled = "true"
             else
-              puts "  Enabled: false"
+              extEnabled = "false"
             end
             if line[1] = "*"
-              puts "  Active: true"
+              extActive = "true"
             else
-              puts "  Active: false"
+              extActive = "false"
             end
-            puts "  TeamID: #{line[2]}"
-            puts "  BundleID: #{line[3]}"
-            puts "  Version: #{line[4]}"
-      
+            teamID = line[2]
+            bunldeID = line[3]
+            versionExt = line[4]
+        
             if line[5] != "[activated"
               if line[6] != "[activated"
                 if line[7] != "[activated"
                   if line[8] != "[activated"
-                    puts "  Name: #{line[5]} #{line[6]} #{line[7]} #{line[8]}"
+                    nameExt = "#{line[5]} #{line[6]} #{line[7]} #{line[8]}"
                   else
-                    puts "  Name: #{line[5]} #{line[6]} #{line[7]}"
+                    nameExt = "#{line[5]} #{line[6]} #{line[7]}"
                   end
                 end
               else
-                puts "  Name: #{line[5]}"
+                nameExt = "#{line[5]}"
               end
             else
-              puts "  Name: #{line[5]}"
+              nameExt = "#{line[5]}"
             end
       
             if line[6] == "[activated"
-              puts "  State: #{line[6]} #{line[7]}"
+              stateExt = "#{line[6]} #{line[7]}"
             elsif line[7]  == "[activated"
-              puts "  State: #{line[7]} #{line[8]}"
+              stateExt = "#{line[7]} #{line[8]}"
             elsif line[8]  == "[activated"
-              puts "  State: #{line[8]} #{line[9]}"
+              stateExt = "#{line[8]} #{line[9]}"
             elsif line[9]  == "[activated"
-              puts "  State: #{line[9]} #{line[10]}"
+              stateExt = "#{line[9]} #{line[10]}"
             else
-              puts "  State: #{line[6]} #{line[7]}"
+              stateExt = "#{line[6]} #{line[7]}"
             end
+            puts "  Type: #{$extType}"
+            puts "    Enabled: #{extEnabled}"
+            puts "    Active: #{extActive}"
+            puts "    Team ID: #{teamID}"
+            puts "    Bundle ID: #{bunldeID}"
+            puts "    Version:  #{versionExt}"
+            puts "    Name: #{nameExt}"
+            puts "    State: #{stateExt}"
           end
+          
        end
+       
+      
       end
 
       def self.processCPU

data/lib/macos/artifacts/version.rb

@@ -2,6 +2,6 @@
 
 module Macos
   module Artifacts
-    VERSION = "0.6.2"
+    VERSION = "0.6.4"
   end
 end

data/lib/macos/artifacts.rb

@@ -6,6 +6,8 @@ require_relative "artifacts/files"
 require_relative "artifacts/apps"
 require_relative "artifacts/help"
 require 'cfpropertylist'
+require 'json'
+
 
 $currentUser = ENV['USER'] 
 
@@ -141,5 +143,21 @@ module Macos
         puts "  Install Critical Updates: #{criticalUpdateInstall}"
       end
     end
+
+    def self.airDrop
+      airdropUsage = `log show --style json --last 7d --predicate 'subsystem == "com.apple.sharing" AND category == "AirDrop" AND eventMessage == "Sending Ask response with code OK (200)"'`.strip
+      data = JSON.parse(airdropUsage)
+
+      puts "Airdrop Activty last 7 Days:"
+      data.each do |item|
+          # puts item
+          puts "  UserID: #{item["userID"]}"
+          puts "  Subsystem: #{item["subsystem"]}"
+          puts "  Category: #{item["category"]}"
+          puts "  Time: #{item["timestamp"]}"
+          puts "  Message: #{item["eventMessage"]}"
+          puts ""
+      end
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: macos-artifacts
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.6.4
 platform: ruby
 authors:
 - nic scott
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-09-13 00:00:00.000000000 Z
+date: 2024-02-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler