macos-artifacts 0.6.2 → 0.6.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +14 -0
- data/README.md +21 -1
- data/lib/macos/artifacts/apps.rb +49 -35
- data/lib/macos/artifacts/files.rb +20 -7
- data/lib/macos/artifacts/help.rb +2 -0
- data/lib/macos/artifacts/state.rb +30 -19
- data/lib/macos/artifacts/version.rb +1 -1
- data/lib/macos/artifacts.rb +18 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f1ddf4c188e1d94cc14f5329bd1abb165a1364e0b270b394b4565e46a3861b75
|
4
|
+
data.tar.gz: 6cc605f5a9c737f23db1f52ed4e3bd09a271931f78e7607e7d8dff1032feaf8d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 27c015884b1a648d4cd1ef28d81e04824cdc40e3577a4f73cb1c2941214c57b05bedad3afd34cc4cbc05518ab4fee9f35b907c55547594c23bb817614ed58a51
|
7
|
+
data.tar.gz: 9ef5208b23c47e2cb5863efda227792e68279c0c047b1ab20bb0149b0c691b444845e8f440e56f8e9b52632fbbe55d9c87c5d8bb0e668e1281216a0ac43debc1
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,20 @@
|
|
1
1
|
# Change Log
|
2
2
|
|
3
3
|
|
4
|
+
---
|
5
|
+
## version 0.6.4
|
6
|
+
- Add: airdrop activity for the last 7 days shows timestamps. Macos::Artifacts::airDrop
|
7
|
+
- Add: applications installed in current users account. Macos::Artifacts::Apps::userInstalledApplications
|
8
|
+
- Fixed: IO error with Macos::Artifacts::Apps::applications when plist file didn't exist
|
9
|
+
- Fixed: IO error with Macos::Artifacts::Files::systemLaunchAgents when is a symlink or doesn't exist
|
10
|
+
|
11
|
+
|
12
|
+
---
|
13
|
+
## version 0.6.3
|
14
|
+
- Update: minor syntax change for System Extensions
|
15
|
+
- Fixed: error with Apps::InstallHistory US-ASCII error
|
16
|
+
|
17
|
+
|
4
18
|
---
|
5
19
|
## version 0.6.2
|
6
20
|
- Fixed: workaround for listing files in user directory where listing items in the .Trash resulted in an error
|
data/README.md
CHANGED
@@ -8,7 +8,7 @@ Output is simple text making it able to be scraped up by an MDM or EDR solution
|
|
8
8
|
---
|
9
9
|
## Installation:
|
10
10
|
|
11
|
-
`
|
11
|
+
`sudo gem install macos-artifacts`
|
12
12
|
|
13
13
|
---
|
14
14
|
## Usage:
|
@@ -16,6 +16,8 @@ Output is simple text making it able to be scraped up by an MDM or EDR solution
|
|
16
16
|
`require 'macos/artifacts'`
|
17
17
|
|
18
18
|
```ruby
|
19
|
+
Macos::Artifacts::Help::options
|
20
|
+
|
19
21
|
Macos::Artifacts::computerName
|
20
22
|
Macos::Artifacts::serial
|
21
23
|
Macos::Artifacts::version
|
@@ -35,6 +37,14 @@ Macos::Artifacts::firewallStatus
|
|
35
37
|
Macos::Artifacts::screenlockStatus
|
36
38
|
Macos::Artifacts::lockStatus
|
37
39
|
Macos::Artifacts::softwareUpdates
|
40
|
+
Macos::Artifacts::airDrop
|
41
|
+
|
42
|
+
Macos::Artifacts::Apps::applications
|
43
|
+
Macos::Artifacts::Apps::packagesReceipts
|
44
|
+
Macos::Artifacts::Apps::installHistory
|
45
|
+
Macos::Artifacts::Apps::appInstallLocations
|
46
|
+
Macos::Artifacts::Apps::userInstalledApplications
|
47
|
+
|
38
48
|
Macos::Artifacts::Files::systemLaunchAgents
|
39
49
|
Macos::Artifacts::Files::systemLaunchDaemons
|
40
50
|
Macos::Artifacts::Files::userLaunchAgents
|
@@ -44,12 +54,22 @@ Macos::Artifacts::Files::userApplicationSupport
|
|
44
54
|
Macos::Artifacts::Files::libraryPreferences
|
45
55
|
Macos::Artifacts::Files::userLibraryPreferences
|
46
56
|
Macos::Artifacts::Files::cronTabs
|
57
|
+
|
47
58
|
Macos::Artifacts::Files::etcHosts
|
59
|
+
Macos::Artifacts::Files::usrLocal
|
60
|
+
Macos::Artifacts::Files::usrLocalBin
|
61
|
+
Macos::Artifacts::Files::usrLocalSbin
|
62
|
+
Macos::Artifacts::Files::usersShared
|
63
|
+
Macos::Artifacts::Files::privateTmp
|
64
|
+
Macos::Artifacts::Files::scriptInstallLocations
|
65
|
+
|
48
66
|
Macos::Artifacts::State::users
|
49
67
|
Macos::Artifacts::State::adminUsers
|
50
68
|
Macos::Artifacts::State::systemExtensions
|
51
69
|
Macos::Artifacts::State::processCPU
|
52
70
|
Macos::Artifacts::State::processMemory
|
71
|
+
Macos::Artifacts::State::openNetworkConnections
|
72
|
+
Macos::Artifacts::State::networkInterfaces
|
53
73
|
```
|
54
74
|
|
55
75
|
|
data/lib/macos/artifacts/apps.rb
CHANGED
@@ -1,5 +1,9 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
+
require 'json'
|
4
|
+
require 'date'
|
5
|
+
$currentUser = ENV['USER']
|
6
|
+
|
3
7
|
module Macos
|
4
8
|
module Artifacts
|
5
9
|
module Apps
|
@@ -8,35 +12,39 @@ module Macos
|
|
8
12
|
$applicationsDirectory = Dir.entries("#{$applicationsPath}")
|
9
13
|
puts "Applications Folder:"
|
10
14
|
$applicationsDirectory.sort!.each do | filename |
|
11
|
-
|
15
|
+
if ! filename.start_with?(".")
|
12
16
|
if File.extname(filename) == ".app"
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
17
|
+
plistfile = "#{$applicationsPath}/#{filename}/Contents/Info.plist"
|
18
|
+
if File.exist?("#{plistfile}")
|
19
|
+
plist = CFPropertyList::List.new(:file => "#{$applicationsPath}/#{filename}/Contents/Info.plist")
|
20
|
+
data = CFPropertyList.native_types(plist.value)
|
21
|
+
data.each do |k,v|
|
22
|
+
if k == "CFBundleShortVersionString"
|
23
|
+
puts " #{$applicationsPath}/#{filename}: #{v}"
|
24
|
+
end
|
25
|
+
end
|
18
26
|
end
|
19
|
-
|
27
|
+
|
20
28
|
else
|
21
|
-
|
29
|
+
if File.directory?("#{$applicationsPath}/#{filename}")
|
22
30
|
puts " #{$applicationsPath}/#{filename}:"
|
23
31
|
subpath = Dir.entries("#{$applicationsPath}/#{filename}")
|
24
32
|
subpath.each do |subdirapp|
|
25
|
-
|
33
|
+
if ! subdirapp.start_with?(".")
|
26
34
|
if File.extname(subdirapp) == ".app"
|
27
|
-
|
28
|
-
|
29
|
-
|
35
|
+
plist = CFPropertyList::List.new(:file => "#{$applicationsPath}/#{filename}/#{subdirapp}/Contents/Info.plist")
|
36
|
+
data = CFPropertyList.native_types(plist.value)
|
37
|
+
data.each do |k,v|
|
30
38
|
if k == "CFBundleShortVersionString"
|
31
|
-
|
39
|
+
puts " #{$applicationsPath}/#{filename}/#{subdirapp}: #{v}"
|
40
|
+
end
|
32
41
|
end
|
33
|
-
end
|
34
42
|
end
|
35
|
-
|
43
|
+
end
|
44
|
+
end
|
36
45
|
end
|
37
|
-
end
|
38
46
|
end
|
39
|
-
|
47
|
+
end
|
40
48
|
end
|
41
49
|
end
|
42
50
|
|
@@ -51,23 +59,22 @@ module Macos
|
|
51
59
|
end
|
52
60
|
|
53
61
|
def self.installHistory
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
end
|
62
|
+
time = DateTime.now
|
63
|
+
installs = `system_profiler -json SPInstallHistoryDataType`.strip
|
64
|
+
data = JSON.parse(installs)
|
65
|
+
|
66
|
+
puts "Software Install History:"
|
67
|
+
data["SPInstallHistoryDataType"].each do |item|
|
68
|
+
date = item["install_date"]
|
69
|
+
parsed_date = DateTime.parse(date)
|
70
|
+
installsDays = (time - parsed_date).to_i
|
71
|
+
|
72
|
+
puts " Name: #{item["_name"]}"
|
73
|
+
puts " Install Days: #{installsDays}"
|
74
|
+
puts " Install Date: #{item["install_date"]}"
|
75
|
+
puts " Version: #{item["install_version"]}"
|
76
|
+
puts " Install Source: #{item["package_source"]}"
|
77
|
+
puts ""
|
71
78
|
end
|
72
79
|
end
|
73
80
|
|
@@ -80,8 +87,15 @@ module Macos
|
|
80
87
|
end
|
81
88
|
end
|
82
89
|
end
|
83
|
-
|
84
90
|
|
91
|
+
def self.userInstalledApplications
|
92
|
+
history = `mdfind -onlyin /Users/"#{$currentUser}" 'kMDItemKind == "Application"'`.split("\n")
|
93
|
+
puts "User Installed Applications:"
|
94
|
+
history.each do |item|
|
95
|
+
puts " #{item.strip}"
|
96
|
+
end
|
97
|
+
end
|
98
|
+
|
85
99
|
end
|
86
100
|
end
|
87
101
|
end
|
@@ -11,14 +11,27 @@ module Macos
|
|
11
11
|
$launchAgentDir = Dir.entries("#{$systemLaunchAgentsPath}")
|
12
12
|
puts "System Launchagents:"
|
13
13
|
$launchAgentDir.each do | filename |
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
14
|
+
if filename != "." && filename != ".."
|
15
|
+
puts " #{$systemLaunchAgentsPath}/#{filename}"
|
16
|
+
plistPath = "#{$systemLaunchAgentsPath}/#{filename}"
|
17
|
+
if File.exist?("#{plistPath}")
|
18
|
+
plist = CFPropertyList::List.new(:file => "#{$systemLaunchAgentsPath}/#{filename}")
|
19
|
+
data = CFPropertyList.native_types(plist.value)
|
20
|
+
data.each do |k,v|
|
21
|
+
puts " #{k}: #{v}"
|
22
|
+
end
|
23
|
+
end
|
24
|
+
if File.symlink?("#{plistPath}")
|
25
|
+
filename = File.readlink("#{plistPath}")
|
26
|
+
if File.exist?("#{filename}")
|
27
|
+
plist = CFPropertyList::List.new(:file => "#{$systemLaunchAgentsPath}/#{filename}")
|
28
|
+
data = CFPropertyList.native_types(plist.value)
|
29
|
+
data.each do |k,v|
|
30
|
+
puts " #{k}: #{v}"
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
20
34
|
end
|
21
|
-
end
|
22
35
|
end
|
23
36
|
end
|
24
37
|
|
data/lib/macos/artifacts/help.rb
CHANGED
@@ -29,6 +29,7 @@ module Macos
|
|
29
29
|
puts " Macos::Artifacts::screenlockStatus checks screenlock status and time"
|
30
30
|
puts " Macos::Artifacts::lockStatus returns Activation Lock Status"
|
31
31
|
puts " Macos::Artifacts::softwareUpdates returns machines softwareupate settings"
|
32
|
+
puts " Macos::Artifacts::airDrop returns timestamps of successful airdrops in last 7 days"
|
32
33
|
puts ""
|
33
34
|
puts "Macos::Artifacts::Files Usage:"
|
34
35
|
puts " Macos::Artifacts::Files::systemLaunchAgents list output of installed /Library/LaunchAgents"
|
@@ -62,6 +63,7 @@ module Macos
|
|
62
63
|
puts " Macos::Artifacts::Apps::packagesReceipts outputs list of installed packages"
|
63
64
|
puts " Macos::Artifacts::Apps::installHistory outputs history of installed apps"
|
64
65
|
puts " Macos::Artifacts::Apps::appInstallLocations outputs list of appliction install paths"
|
66
|
+
puts " Macos::Artifacts::Apps::userInstalledApplications outputs list of applictions installed in current users account"
|
65
67
|
puts ""
|
66
68
|
end
|
67
69
|
end
|
@@ -36,55 +36,66 @@ module Macos
|
|
36
36
|
|
37
37
|
puts "System Extensions:"
|
38
38
|
sysext.each do |line|
|
39
|
-
|
39
|
+
|
40
40
|
if line.start_with?('---')
|
41
41
|
line = line.split(" ")
|
42
|
-
|
42
|
+
$extType = line[1]
|
43
43
|
elsif !line.start_with?("enabled")
|
44
44
|
line = line.split(" ")
|
45
45
|
if line[0] = "*"
|
46
|
-
|
46
|
+
extEnabled = "true"
|
47
47
|
else
|
48
|
-
|
48
|
+
extEnabled = "false"
|
49
49
|
end
|
50
50
|
if line[1] = "*"
|
51
|
-
|
51
|
+
extActive = "true"
|
52
52
|
else
|
53
|
-
|
53
|
+
extActive = "false"
|
54
54
|
end
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
55
|
+
teamID = line[2]
|
56
|
+
bunldeID = line[3]
|
57
|
+
versionExt = line[4]
|
58
|
+
|
59
59
|
if line[5] != "[activated"
|
60
60
|
if line[6] != "[activated"
|
61
61
|
if line[7] != "[activated"
|
62
62
|
if line[8] != "[activated"
|
63
|
-
|
63
|
+
nameExt = "#{line[5]} #{line[6]} #{line[7]} #{line[8]}"
|
64
64
|
else
|
65
|
-
|
65
|
+
nameExt = "#{line[5]} #{line[6]} #{line[7]}"
|
66
66
|
end
|
67
67
|
end
|
68
68
|
else
|
69
|
-
|
69
|
+
nameExt = "#{line[5]}"
|
70
70
|
end
|
71
71
|
else
|
72
|
-
|
72
|
+
nameExt = "#{line[5]}"
|
73
73
|
end
|
74
74
|
|
75
75
|
if line[6] == "[activated"
|
76
|
-
|
76
|
+
stateExt = "#{line[6]} #{line[7]}"
|
77
77
|
elsif line[7] == "[activated"
|
78
|
-
|
78
|
+
stateExt = "#{line[7]} #{line[8]}"
|
79
79
|
elsif line[8] == "[activated"
|
80
|
-
|
80
|
+
stateExt = "#{line[8]} #{line[9]}"
|
81
81
|
elsif line[9] == "[activated"
|
82
|
-
|
82
|
+
stateExt = "#{line[9]} #{line[10]}"
|
83
83
|
else
|
84
|
-
|
84
|
+
stateExt = "#{line[6]} #{line[7]}"
|
85
85
|
end
|
86
|
+
puts " Type: #{$extType}"
|
87
|
+
puts " Enabled: #{extEnabled}"
|
88
|
+
puts " Active: #{extActive}"
|
89
|
+
puts " Team ID: #{teamID}"
|
90
|
+
puts " Bundle ID: #{bunldeID}"
|
91
|
+
puts " Version: #{versionExt}"
|
92
|
+
puts " Name: #{nameExt}"
|
93
|
+
puts " State: #{stateExt}"
|
86
94
|
end
|
95
|
+
|
87
96
|
end
|
97
|
+
|
98
|
+
|
88
99
|
end
|
89
100
|
|
90
101
|
def self.processCPU
|
data/lib/macos/artifacts.rb
CHANGED
@@ -6,6 +6,8 @@ require_relative "artifacts/files"
|
|
6
6
|
require_relative "artifacts/apps"
|
7
7
|
require_relative "artifacts/help"
|
8
8
|
require 'cfpropertylist'
|
9
|
+
require 'json'
|
10
|
+
|
9
11
|
|
10
12
|
$currentUser = ENV['USER']
|
11
13
|
|
@@ -141,5 +143,21 @@ module Macos
|
|
141
143
|
puts " Install Critical Updates: #{criticalUpdateInstall}"
|
142
144
|
end
|
143
145
|
end
|
146
|
+
|
147
|
+
def self.airDrop
|
148
|
+
airdropUsage = `log show --style json --last 7d --predicate 'subsystem == "com.apple.sharing" AND category == "AirDrop" AND eventMessage == "Sending Ask response with code OK (200)"'`.strip
|
149
|
+
data = JSON.parse(airdropUsage)
|
150
|
+
|
151
|
+
puts "Airdrop Activty last 7 Days:"
|
152
|
+
data.each do |item|
|
153
|
+
# puts item
|
154
|
+
puts " UserID: #{item["userID"]}"
|
155
|
+
puts " Subsystem: #{item["subsystem"]}"
|
156
|
+
puts " Category: #{item["category"]}"
|
157
|
+
puts " Time: #{item["timestamp"]}"
|
158
|
+
puts " Message: #{item["eventMessage"]}"
|
159
|
+
puts ""
|
160
|
+
end
|
161
|
+
end
|
144
162
|
end
|
145
163
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: macos-artifacts
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.6.
|
4
|
+
version: 0.6.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- nic scott
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-02-04 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|