macos-artifacts 0.6.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: bef9e063059ed8e1aa054b732e4fa670b438794331fd84c136088ddb3744ed79
+  data.tar.gz: 064d53b36446e2101a2d59479240d10c462ab22840627f6818ef9832d02d0948
+SHA512:
+  metadata.gz: 3187009f4306d5ad8c41e496e0ce76c76a0e74741a66fb8e1cd9910a98b9c34fd7160a82f6d24e019d9d3d0a28844cc6e76af0a3c206ba65b57447a7d89130c9
+  data.tar.gz: 89d75dfe2fae0b58649ccc28fd27088ee3b37d6dd5f531c38fa568f95872730347dc41dad650c61c0909879effc118930f5b762d4bddf9ef2d1462e24a66df93

data/CHANGELOG.md

@@ -0,0 +1,62 @@
+# Change Log
+
+
+---
+## version 0.6.0
+- Add: `help` to output options. User `Macos::Artifacts::Help::options`
+
+---
+## version 0.5.2
+- Add: `state` list of open network connections
+- Add: `files` directory output for /private/tmp
+- Add: `files` directory output for /Users/Shared
+
+---
+## version 0.5.0
+- Add: `apps` module
+
+
+---
+## version 0.4.3
+- Add: processCPU to `state` module
+- Add:  processMemoery to `state` module
+
+
+---
+## version 0.4.2
+- Add: crontab to `files` module
+- Add: hosts file to `files` module
+
+
+---
+## version 0.4.1
+- Add: Preference files for system and users
+
+---
+## version 0.4.0
+- UPDATE: refactor
+
+
+---
+## version 0.3.0
+- UPDATE: break `logs` module out to it's own file
+
+
+---
+## version 0.2.2
+- UPDATE: break `state` module out to it's own file
+
+
+---
+## version 0.2.0
+- ADD: `state` module
+
+
+---
+## version 0.1.5
+- ADD: `logs` module
+
+
+---
+## version 0.1.0
+- Initial release

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 nic scott
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,90 @@
+# Macos::Artifacts
+
+## Summary:
+macOS Artifacts outpus a lot of information, from static facts about a machine (serial number, os verion), to outputs of file directories that may be usefull for discovery or reconnaissance (launchagenets and launchdaemons), to the current state of installed system extesnions.
+
+Output is simple text making it able to be scraped up by an MDM or EDR solution to aid in an investiagtion. You can copy and save to a .yaml format if you want syntax highlighting, though output format is not strictly yaml.
+
+---
+## Installation:
+
+`sudp gem install macos-artifacts`
+
+---
+## Usage:
+
+`require 'macos/artifacts'`
+
+
+
+For options:
+
+Macos::Artifacts::Help::options
+
+```ruby
+Macos::Artifacts::computerName
+Macos::Artifacts::serial
+Macos::Artifacts::version
+Macos::Artifacts::build
+Macos::Artifacts::kernel
+Macos::Artifacts::modelName
+Macos::Artifacts::modelID
+Macos::Artifacts::chip
+Macos::Artifacts::architecture
+Macos::Artifacts::memory
+Macos::Artifacts::hardwareUID
+Macos::Artifacts::publicIP
+Macos::Artifacts::privateIP
+Macos::Artifacts::sipStatus
+Macos::Artifacts::filevaultStatus
+Macos::Artifacts::firewallStatus
+Macos::Artifacts::screenlockStatus
+Macos::Artifacts::lockStatus
+Macos::Artifacts::softwareUpdates
+Macos::Artifacts::Files::systemLaunchAgents
+Macos::Artifacts::Files::systemLaunchDaemons
+Macos::Artifacts::Files::userLaunchAgents
+Macos::Artifacts::Files::listUsersAccountDirectory
+Macos::Artifacts::Files::systemApplicationSupport
+Macos::Artifacts::Files::userApplicationSupport
+Macos::Artifacts::Files::libraryPreferences
+Macos::Artifacts::Files::userLibraryPreferences
+Macos::Artifacts::Files::cronTabs
+Macos::Artifacts::Files::etcHosts
+Macos::Artifacts::State::users
+Macos::Artifacts::State::adminUsers
+Macos::Artifacts::State::systemExtensions
+Macos::Artifacts::State::processCPU
+Macos::Artifacts::State::processMemory
+```
+
+
+
+```yaml
+#Example output of all Macos::Artifacts commands
+Host Name: nics-mac
+Serial: X57CLJT7CV
+Version: 13.5.1
+Build: 22F82
+Kernel: 22.5.0
+Model Name: MacBook Pro
+Model ID: MacBookPro18,3
+Chip: Apple M1 Pro
+Architecture: arm64
+Memory: 32 GB
+Hardware UID: 6AE03961-13A4-5418-BA2A-87FF9075FA91
+Public IP: 172.76.37.139
+Private IP: 192.68.68.68
+SIP Status: enabled
+FireVault Status: On
+Firewall Status: Off
+Screen Lock Status: screenLock delay is immediate
+Activation Lock Status: Disabled
+Software Updates:
+  Auto Updates: 1
+  Auto Download: 1
+  Auto Install: 1
+  Install Config Data: 1
+  Install Critical Updates: 1
+```
+

data/Rakefile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+task default: %i[]

data/lib/macos/artifacts/apps.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+module Macos
+  module Artifacts
+    module Apps
+      def self.applications
+        $applicationsPath = "/Applications"
+        $applicationsDirectory = Dir.entries("#{$applicationsPath}")
+        puts "Applications Folder:"
+        $applicationsDirectory.sort!.each do  | filename |
+          if ! filename.start_with?(".")
+            if File.extname(filename) == ".app"
+              plist = CFPropertyList::List.new(:file => "#{$applicationsPath}/#{filename}/Contents/Info.plist")
+              data = CFPropertyList.native_types(plist.value)
+              data.each do |k,v|
+                if k == "CFBundleShortVersionString"
+                  puts "  #{$applicationsPath}/#{filename}: #{v}"
+                end
+              end
+            else
+              if File.directory?("#{$applicationsPath}/#{filename}")
+                puts "  #{$applicationsPath}/#{filename}:"
+                subpath =  Dir.entries("#{$applicationsPath}/#{filename}")
+                subpath.each do |subdirapp|
+                  if ! subdirapp.start_with?(".")
+                    if File.extname(subdirapp) == ".app"
+                      plist = CFPropertyList::List.new(:file => "#{$applicationsPath}/#{filename}/#{subdirapp}/Contents/Info.plist")
+                      data = CFPropertyList.native_types(plist.value)
+                      data.each do |k,v|
+                        if k == "CFBundleShortVersionString"
+                          puts "    #{$applicationsPath}/#{filename}/#{subdirapp}: #{v}"
+                        end
+                      end
+                    end
+                  end
+                end
+              end
+            end
+          end
+        end
+      end
+
+      def self.packagesReceipts
+        pkgReceipts = `pkgutil --packages`.split("\n") 
+        pkgReceipts.sort!
+        puts "Package Receipts: "
+      
+        pkgReceipts.each do |pkg|
+          puts "  #{pkg.strip}"
+        end
+      end
+
+      def self.installHistory
+        history = `system_profiler SPInstallHistoryDataType `.split("\n")
+        history.shift
+        history.shift
+        puts "Application Install History:"
+        history.each do |item|
+          item = item.strip
+          if ! item.empty?
+            if item.start_with?(/^Version:/)
+              puts "    #{item}"
+            elsif item.start_with?(/^Source:/)
+              puts "    #{item}"
+            elsif item.start_with?(/^Install Date:/)
+              puts "    #{item}"
+            else
+              puts "  #{item}"
+            end
+          end
+        end
+      end
+
+      def self.appInstallLocations
+        history = `mdfind "kMDItemKind == Application"`.split("\n")
+        puts "Application Install Locations:"
+        history.each do |item|
+        if ! item.start_with?("/System")
+            puts "  #{item.strip}"
+          end
+        end
+      end
+      
+
+    end
+  end
+end

data/lib/macos/artifacts/files.rb

@@ -0,0 +1,279 @@
+# frozen_string_literal: true
+
+$currentUser = ENV['USER'] 
+
+module Macos
+  module Artifacts
+    module Files
+
+      def self.systemLaunchAgents
+        $systemLaunchAgentsPath = "/Library/LaunchAgents"
+        $launchAgentDir = Dir.entries("#{$systemLaunchAgentsPath}")
+        puts "System Launchagents:"
+        $launchAgentDir.each do  | filename |
+          if filename != "." && filename != ".."
+            puts "  #{$systemLaunchAgentsPath}/#{filename}"
+            plist = CFPropertyList::List.new(:file => "#{$systemLaunchAgentsPath}/#{filename}")
+            data = CFPropertyList.native_types(plist.value)
+            data.each do |k,v|
+              puts "    #{k}: #{v}"
+            end
+          end
+        end
+      end
+
+      def self.systemLaunchDaemons
+        $systemLaunchAgentsPath = "/Library/LaunchDaemons"
+        $launchAgentDir = Dir.entries("#{$systemLaunchAgentsPath}")
+        puts "System LaunchDaemons:"
+        $launchAgentDir.each do  | filename |
+          if filename != "." && filename != ".."
+            puts "  #{$systemLaunchAgentsPath}/#{filename}"
+            plist = CFPropertyList::List.new(:file => "#{$systemLaunchAgentsPath}/#{filename}")
+            data = CFPropertyList.native_types(plist.value)
+            data.each do |k,v|
+              puts "    #{k}: #{v}"
+            end
+          end
+        end
+      end
+
+      def self.userLaunchAgents
+        userArray = []
+        Dir.entries("/Users").each do |username|
+          if !username.start_with?(".")
+            if username != "Shared" and username != "Guest"
+              userArray.push("#{username}")
+            end
+          end
+        end
+      
+        userArray.each do |username|
+          userLaunchAgentsPath = "/Users/#{username}/Library/LaunchAgents"
+          if Dir.exist?("#{userLaunchAgentsPath}")
+            launchAgentDir = Dir.entries("#{userLaunchAgentsPath}")
+            puts "#{username} LaunchAgents:"
+            launchAgentDir.each do  | filename |
+              if filename != "." && filename != ".." && filename != ".DS_Store"
+                puts "  #{userLaunchAgentsPath}/#{filename}"
+                plist = CFPropertyList::List.new(:file => "#{userLaunchAgentsPath}/#{filename}")
+                data = CFPropertyList.native_types(plist.value)
+                data.each do |k,v|
+                  puts "    #{k}: #{v}"
+                end
+              end
+            end
+          end
+      
+        end
+      end
+
+      def self.listUsersAccountDirectory
+        $userHomeFolder = Dir.entries("/Users/#{$currentUser}")
+        fileArray = []
+        $userHomeFolder.each do  | filename |
+          if filename != "." && filename != ".."
+            filePath = "/Users/#{$currentUser}/#{filename}"
+              fileArray.push("#{filePath}")
+          end
+        end
+    
+        fileArray = fileArray.sort
+    
+        puts "Home Directory for #{$currentUser}:"
+        fileArray.each do |item|
+          if ! Dir.exist?("#{item}")
+            puts "  #{item}"
+          elsif Dir.exist?("#{item}")
+            puts "  #{item}:"
+            $subDir = Dir.entries("#{item}")
+            $subDir.each do  |subfile|
+              if subfile != "." && subfile != ".."
+                puts "    #{item}/#{subfile}"
+              end
+            end
+          else
+            puts "ERROR"
+          end
+        end
+      end
+
+      def self.userApplicationSupport
+        userApplicationSupport = "/Users/#{$currentUser}/Library/Application Support"
+        if Dir.exist?("#{userApplicationSupport}")
+          puts "#{$currentUser} Application Support:"
+          Dir.entries("#{userApplicationSupport}").each do  | filename |
+            if filename != "." && filename != ".." && filename != ".DS_Store"
+              puts "  #{userApplicationSupport}/#{filename}"
+            end
+          end
+        end
+      end
+
+      def self.systemApplicationSupport
+        systemApplicationSupport = "/Library/Application Support"
+          if Dir.exist?("#{systemApplicationSupport}")
+            puts "System Application Support:"
+            Dir.entries("#{systemApplicationSupport}").each do  | filename |
+              if filename != "." && filename != ".." && filename != ".DS_Store"
+                puts "  #{systemApplicationSupport}/#{filename}"
+              end
+            end
+          end
+      end
+
+      def self.libraryPreferences
+        systemApplicationSupport = "/Library/Preferences"
+        if Dir.exist?("#{systemApplicationSupport}")
+          puts "Library Preferences:"
+          Dir.entries("#{systemApplicationSupport}").each do  | filename |
+            if filename != "." && filename != ".." && filename != ".DS_Store"
+              puts "  #{systemApplicationSupport}/#{filename}"
+            end
+          end
+        end
+      end
+
+      def self.userLibraryPreferences
+        userArray = []
+        Dir.entries("/Users").each do |username|
+          if !username.start_with?(".")
+            if username != "Shared" and username != "Guest"
+              userArray.push("#{username}")
+            end
+          end
+        end
+        userArray.each do |username|
+          filesArray = []
+          userPreferences = "/Users/#{username}/Library/Preferences"
+          if Dir.exist?("#{userPreferences}")
+            puts "#{username} Preferences:"
+            Dir.entries("#{userPreferences}").each do  | filename |
+              if filename != "." && filename != ".." && filename != ".DS_Store"
+                filesArray.push("#{userPreferences}/#{filename}")
+              end
+            end
+          end
+          filesArray.sort.each do |filename|
+            puts "  #{filename}"
+          end
+        end
+      end
+
+      def self.cronTabs
+        cronTab = `/usr/bin/crontab -l`.strip
+        puts "crontabs:"
+        if cronTab.empty?
+          puts "  No current crontabs"
+        else
+          puts "  #{cronTab}"
+        end
+      end
+      
+      def self.etcHosts
+        hostfiles = `cat /etc/hosts`.split("\n")
+        puts "Hosts File:"
+        hostfiles.each do |line|
+          puts "  #{line}"
+        end
+      end
+
+      def self.usrLocal
+        path = "/usr/local"
+        
+        puts "#{path} Directory:"
+        if File.exists?("#{path}")
+          output = `ls -al #{path}`.split("\n")
+          output.shift
+          output.each do |item|
+            puts "  #{item}"
+          end
+        else
+          puts "  No such file or directory"
+        end
+      end
+
+      def self.usrLocalBin
+        path = "/usr/local/bin"
+        
+        puts "#{path} Directory:"
+        if File.exists?("#{path}")
+          output = `ls -al #{path}`.split("\n")
+          output.shift
+          output.each do |item|
+            puts "  #{item}"
+          end
+        else
+          puts "  No such file or directory"
+        end
+      end
+
+      def self.usrLocalSbin
+        path = "/usr/local/sbin"
+        
+        puts "#{path} Directory:"
+        if File.exists?("#{path}")
+          output = `ls -al #{path}`.split("\n")
+          output.shift
+          output.each do |item|
+            puts "  #{item}"
+          end
+        else
+          puts "  No such file or directory"
+        end
+      end
+
+      def self.usersShared
+        path = "/Users/Shared"
+        
+        puts "#{path} Directory:"
+        if File.exists?("#{path}")
+          output = `ls -al #{path}`.split("\n")
+          output.shift
+          output.each do |item|
+            puts "  #{item}"
+          end
+        else
+          puts "  No such file or directory"
+        end
+      end
+
+      def self.privateTmp
+        path = "/private/tmp"
+        
+        puts "#{path} Directory:"
+        if File.exists?("#{path}")
+          output = `ls -al #{path}`.split("\n")
+          output.shift
+          output.each do |item|
+            puts "  #{item}"
+          end
+        else
+          puts "  No such file or directory"
+        end
+      end
+
+      def self.scriptInstallLocations
+        history1 = `mdfind "kMDItemKind == 'Shell Script'"`.split("\n")
+        puts "Script Install Locations:"
+        history1.each do |item|
+          if ! item.start_with?("/System", "/Library/Developer", "/usr/share", "/usr/bin", "/Library/Ruby")
+            if ! item.include? "/Library/Application Support/Code/User/History"
+                puts "  #{item.strip}"
+            end
+          end
+        end
+      
+        history = `mdfind "kMDItemKind == '* Source'"`.split("\n")
+        history.each do |item|
+          if ! item.start_with?("/System", "/Library/Developer", "/usr/share", "/usr/bin", "/Library/Ruby")
+            if ! item.include? "/Library/Application Support/Code/User/History"
+              puts "  #{item.strip}"
+            end
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/macos/artifacts/help.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+module Macos
+  module Artifacts
+    module Help
+      def self.options
+        puts ""
+        puts "Summary: 
+        Artifact is an easy way to output a lot of facts and states about a macOS machine. 
+        It's meant to be quick text output so it can be returned via an MDM or EDR solution to aid in investigations"
+        puts ""
+        puts "Macos::Artifact Usage:"
+        puts "  Macos::Artifacts::computerName                      uses scutil to return computername"
+        puts "  Macos::Artifacts::serial                            returns serial number from system_profiler"
+        puts "  Macos::Artifacts::version                           uses sw_vers to return os version"
+        puts "  Macos::Artifacts::build                             uses sw_vers to return buld number"
+        puts "  Macos::Artifacts::kernel                            uses uname to return kernel"
+        puts "  Macos::Artifacts::modelName                         users system_profiler to return model name"
+        puts "  Macos::Artifacts::modelID                           users system_profiler to return model id"
+        puts "  Macos::Artifacts::chip                              users system_profiler to return hardware chip"
+        puts "  Macos::Artifacts::architecture                      users uanme to return hardware architecture"
+        puts "  Macos::Artifacts::memory                            users system_profiler to return memory installed"
+        puts "  Macos::Artifacts::hardwareUID                       users system_profiler to return hardware id"
+        puts "  Macos::Artifacts::publicIP                          public ip returned by dig"
+        puts "  Macos::Artifacts::privateIP                         private ip returned by ipconfig"
+        puts "  Macos::Artifacts::sipStatus                         returns sip status from csrutil"
+        puts "  Macos::Artifacts::filevaultStatus                   returns filevault status from fdesetup"
+        puts "  Macos::Artifacts::firewallStatus                    read firewall status from com.apple.alf"
+        puts "  Macos::Artifacts::screenlockStatus                  checks screenlock status and time" 
+        puts "  Macos::Artifacts::lockStatus                        returns Activation Lock Status"
+        puts "  Macos::Artifacts::softwareUpdates                   returns machines softwareupate settings"
+        puts ""
+        puts "Macos::Artifacts::Files Usage:"
+        puts "  Macos::Artifacts::Files::systemLaunchAgents         list output of installed /Library/LaunchAgents"
+        puts "  Macos::Artifacts::Files::systemLaunchDaemons        list output of installed /Library/LaunchDaemons"
+        puts "  Macos::Artifacts::Files::userLaunchAgents           list output of Users ~/Library/LaunchAgents"
+        puts "  Macos::Artifacts::Files::listUsersAccountDirectory  list output of users home directory"
+        puts "  Macos::Artifacts::Files::systemApplicationSupport   list output of /Library/Application Support"
+        puts "  Macos::Artifacts::Files::userApplicationSupport     list output of ~/Library/Application Support"
+        puts "  Macos::Artifacts::Files::libraryPreferences         list output of /Library/Preferences"
+        puts "  Macos::Artifacts::Files::userLibraryPreferences     list output of ~/Library/Preferences"
+        puts "  Macos::Artifacts::Files::cronTabs                   list output crontabs"
+        puts "  Macos::Artifacts::Files::etcHosts                   list output of /etc/hosts file"
+        puts "  Macos::Artifacts::Files::usrLocal                   list output of /usr/local"
+        puts "  Macos::Artifacts::Files::usrLocalBin                list output of /usr/local/bin"
+        puts "  Macos::Artifacts::Files::usrLocalSbin               list output of /usr/local/sbin"
+        puts "  Macos::Artifacts::Files::usersShared                list output of /User/Shared"
+        puts "  Macos::Artifacts::Files::privateTmp                 list ooutput of /private/tmp"
+        puts "  Macos::Artifacts::Files::scriptInstallLocations     list output paths for shell, python, ruby scripts"
+        puts ""
+        puts "Macos::Artifacts::State Usage:"
+        puts "  Macos::Artifacts::State::users                      list of local users with UIDs"
+        puts "  Macos::Artifacts::State::adminUsers                 list of users in admin gropu"
+        puts "  Macos::Artifacts::State::systemExtensions           output of systemextensionctl"
+        puts "  Macos::Artifacts::State::processCPU                 top 10 CPU Processes"
+        puts "  Macos::Artifacts::State::processMemory              top 10 Memory Processes"
+        puts "  Macos::Artifacts::State::openNetworkConnections     open network connections"
+        puts "  Macos::Artifacts::State::networkInterfaces          returns network interfaces"
+        puts ""
+        puts "Macos::Artifacts::Apps Usage:"
+        puts "  Macos::Artifacts::Apps::applications                outputs main applicaitons folder with version"
+        puts "  Macos::Artifacts::Apps::packagesReceipts            outputs list of installed packages"
+        puts "  Macos::Artifacts::Apps::installHistory              outputs history of installed apps"
+        puts "  Macos::Artifacts::Apps::appInstallLocations         outputs list of appliction install paths"
+        puts ""
+      end
+    end
+  end
+end

data/lib/macos/artifacts/state.rb

@@ -0,0 +1,187 @@
+# frozen_string_literal: true
+
+module Macos
+  module Artifacts
+    module State
+      def self.users
+        $userHash={}
+        Dir.entries("/Users").each do |username|
+          if !username.start_with?(".")
+            if username != "Shared" and username != "Guest"
+              uid = `id -u #{username}`.strip
+              $userHash["#{username}"] = uid
+            end
+          end
+        end
+      
+        puts "Local Users:"
+        $userHash.each do |key, value|
+          puts "  #{key}: #{value}"
+        end
+      end
+
+      def self.adminUsers
+          admins=`dscl . -read /Groups/admin GroupMembership`.split(" ")
+          admins.shift()
+        
+          puts "Admins:"
+          admins.each do |name|
+            puts "  #{name}"
+          end
+      end
+
+      def self.systemExtensions
+        sysext = `systemextensionsctl list`.split("\n")
+        sysext.shift()
+        
+        puts "System Extensions:"
+        sysext.each do |line|
+      
+          if line.start_with?('---')
+            line = line.split(" ")
+            puts "  Type: #{line[1]}"
+          elsif !line.start_with?("enabled")
+            line = line.split(" ")
+            if line[0] = "*"
+              puts "  Enabled: true"
+            else
+              puts "  Enabled: false"
+            end
+            if line[1] = "*"
+              puts "  Active: true"
+            else
+              puts "  Active: false"
+            end
+            puts "  TeamID: #{line[2]}"
+            puts "  BundleID: #{line[3]}"
+            puts "  Version: #{line[4]}"
+      
+            if line[5] != "[activated"
+              if line[6] != "[activated"
+                if line[7] != "[activated"
+                  if line[8] != "[activated"
+                    puts "  Name: #{line[5]} #{line[6]} #{line[7]} #{line[8]}"
+                  else
+                    puts "  Name: #{line[5]} #{line[6]} #{line[7]}"
+                  end
+                end
+              else
+                puts "  Name: #{line[5]}"
+              end
+            else
+              puts "  Name: #{line[5]}"
+            end
+      
+            if line[6] == "[activated"
+              puts "  State: #{line[6]} #{line[7]}"
+            elsif line[7]  == "[activated"
+              puts "  State: #{line[7]} #{line[8]}"
+            elsif line[8]  == "[activated"
+              puts "  State: #{line[8]} #{line[9]}"
+            elsif line[9]  == "[activated"
+              puts "  State: #{line[9]} #{line[10]}"
+            else
+              puts "  State: #{line[6]} #{line[7]}"
+            end
+          end
+       end
+      end
+
+      def self.processCPU
+        $psArray = []
+        $psHash = {}
+        processes = `ps axc -o user,pid,%cpu,%mem,start,time,command`.split("\n")
+        processes.shift()
+      
+        processes.each do |item|
+          data = item.split(" ")
+          psHash = {
+            :user => "#{data[0].strip}",
+            :pid => "#{data[1].strip}",
+            :cpu => "#{data[2].to_f}",
+            :mem => "#{data[3].strip}",
+            :start => "#{data[4].strip}",
+            :time => "#{data[5].strip}",
+            :command => "#{data[6].strip}"
+          }
+          $psArray.push(psHash)
+        end
+      
+        $psArray.sort_by! { |hash| hash[:cpu] }
+        puts "Top 10 CPU Processes:"
+      
+        $psArray.last(10).reverse.each do |ps|
+          ps.each do |key,value|
+            if key.to_s == "user"
+               puts "  #{key}: #{value}"
+            else
+              puts "    #{key}: #{value}"
+            end
+          end
+        end
+      end
+
+      def self.processMemory
+        $psArray = []
+        $psHash = {}
+        processes = `ps axc -o user,pid,%cpu,%mem,start,time,command`.split("\n")
+        processes.shift()
+      
+        processes.each do |item|
+          data = item.split(" ")
+          psHash = {
+            :user => "#{data[0].strip.to_s}",
+            :pid => "#{data[1].strip}",
+            :cpu => "#{data[2].to_f}",
+            :mem => "#{data[3].strip}",
+            :start => "#{data[4].strip}",
+            :time => "#{data[5].strip}",
+            :command => "#{data[6].strip}"
+          }
+          $psArray.push(psHash)
+        end
+      
+        $psArray.sort_by! { |hash| hash[:mem] }
+        puts "Top 10 Memory Processes:"
+      
+        $psArray.last(10).reverse.each do |ps|
+          ps.each do |key,value|
+            if key.to_s == "user"
+               puts "  #{key}: #{value}"
+            else
+              puts "    #{key}: #{value}"
+            end
+          end
+        end
+      end
+
+      def self.openNetworkConnections
+        listOfOpenConnections = `lsof -i`.split("\n")
+        listOfOpenConnections.shift
+        puts "Open Network Connections:"
+        listOfOpenConnections.each do |line|
+          line = line.split(" ")
+          puts "  Command: #{line[0]}"
+          puts "    PID: #{line[1]}"
+          puts "    USER: #{line[2]}"
+          puts "    TYPE: #{line[4]}"
+          puts "    NODE: #{line[7]}"
+          puts "    NAME: #{line[8]}"
+        end 
+      end
+
+      def self.networkInterfaces
+        listOfNetworkInterfaces = `ifconfig`.split("\n")
+        puts "Network Interfaces:"
+        listOfNetworkInterfaces.each do |item|
+          if item.start_with?(/^*:/)
+            puts item.strip
+          else
+            puts "  #{item}"
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/macos/artifacts/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Macos
+  module Artifacts
+    VERSION = "0.6.0"
+  end
+end

data/lib/macos/artifacts.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require_relative "artifacts/version"
+require_relative "artifacts/state"
+require_relative "artifacts/files"
+require_relative "artifacts/apps"
+require_relative "artifacts/help"
+require 'cfpropertylist'
+
+$currentUser = ENV['USER'] 
+
+module Macos
+  module Artifacts
+    def self.computerName
+      computerName = `scutil --get ComputerName`.strip
+      puts "Host Name: #{computerName}"
+    end
+
+    def self.serial
+      serialNumber = `system_profiler SPHardwareDataType | grep Serial | cut -d ":" -f2 | xargs`.strip
+      puts "Serial: #{serialNumber}"
+    end
+
+    def self.version
+      osVersion = `sw_vers -ProductVersion`.strip
+      puts "Version: #{osVersion}"
+    end
+
+    def self.build
+      osBuild = `sw_vers -BuildVersion`.strip
+      puts "Build: #{osBuild}"
+    end
+
+    def self.kernel
+      arch = `uname -r`.strip
+      puts "Kernel: #{arch}"
+    end
+
+    def self.modelName
+      modelName = `system_profiler SPHardwareDataType | grep "Model Name" | cut -d ":" -f2 | xargs`.strip
+      puts "Model Name: #{modelName}"
+    end
+
+    def self.modelID
+      modelID =  `system_profiler SPHardwareDataType | grep "Model Identifier" | cut -d ":" -f2 | xargs`.strip
+      puts "Model ID: #{modelID}"
+    end
+
+    def self.chip
+      chipArch = `system_profiler SPHardwareDataType | grep "Chip" | cut -d ":" -f2 | xargs`.strip
+      puts "Chip: #{chipArch}"
+    end
+
+    def self.architecture
+      arch = `uname -m`.strip
+      puts "Architecture: #{arch}"
+    end
+
+    def self.memory
+      memory = `system_profiler SPHardwareDataType | grep "Memory" | cut -d ":" -f2 | xargs`.strip
+      puts "Memory: #{memory}"
+    end
+
+    def self.hardwareUID
+      uuid = `system_profiler SPHardwareDataType | grep "Hardware" | cut -d ":" -f2 | xargs`.strip
+      puts "Hardware UID: #{uuid}"
+    end
+
+    def self.publicIP
+      ip = `dig -4 TXT +short o-o.myaddr.l.google.com ns1.google.com | tr -d '"'`.strip
+      puts "Public IP: #{ip}"
+    end
+
+    def self.privateIP
+      ip = `ipconfig getifaddr en0`.strip
+      puts "Private IP: #{ip}"
+    end
+
+    def self.sipStatus
+      command = `csrutil status | cut -d ":" -f2 | xargs | head -c7 | xargs`.strip
+      puts "SIP Status: #{command}"
+    end
+
+    def self.filevaultStatus
+      command = `fdesetup status | awk '{print $3}' | head -c2 | xargs`.strip
+      puts "FireVault Status: #{command}"
+    end
+
+    def self.firewallStatus
+      command =  `defaults read /Library/Preferences/com.apple.alf globalstate`.strip
+
+      if command == "0"
+        puts "Firewall Status: Off"
+      else
+        puts "Firewall Status: On"
+      end
+    end
+
+    def self.lockStatus
+      status = `system_profiler SPHardwareDataType | grep "Activation Lock Status" | cut -d ":" -f2 | xargs`.strip
+      puts "Activation Lock Status: #{status}"
+    end
+
+    def self.screenlockStatus
+      screensaverPlist = "/Library/Managed Preferences/com.apple.screensaver.plist"
+
+      if File.exists?("#{screensaverPlist}")
+        screenSaverTime = `defaults read '#{screensaverPlist}' askForPasswordDelay`.strip
+        puts "found"
+      else
+        $askForPasswordStatus = `sysadminctl -screenLock status 2>&1 >/dev/null`.split("]")
+        puts "Screen Lock Status: #{$askForPasswordStatus[1].strip}"
+      end
+    end
+
+    def self.softwareUpdates
+      managedUpdates = "/Library/Managed Preferences/com.apple.SoftwareUpdate.plist"
+    
+      puts "Software Updates:"
+      if File.exists?("#{managedUpdates}")
+        autoCheck = `defaults read "#{managedUpdates}" AutomaticCheckEnabled`.strip
+        automaticDownload = `defaults read "#{managedUpdates}" AutomaticDownload`.strip
+        automaticallyInstallMacOSUpdates = `defaults read "#{managedUpdates}" AutomaticallyInstallMacOSUpdates`.strip
+        configDataInstall = `defaults read "#{managedUpdates}" ConfigDataInstall`.strip
+        criticalUpdateInstall = `defaults read "#{managedUpdates}" CriticalUpdateInstall`.strip
+        puts "  Auto Updates: #{autoCheck}"
+        puts "  Auto Download: #{automaticDownload}"
+        puts "  Auto Install: #{automaticallyInstallMacOSUpdates}"
+        puts "  Install Config Data: #{configDataInstall}"
+        puts "  Install Critical Updates: #{criticalUpdateInstall}"
+      else
+        autoCheck = `defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticCheckEnabled`.strip
+        automaticDownload = `defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticDownload`.strip
+        automaticallyInstallMacOSUpdates = `defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist AutomaticallyInstallMacOSUpdates`.strip
+        configDataInstall = `defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist ConfigDataInstall`.strip
+        criticalUpdateInstall = `defaults read /Library/Preferences/com.apple.SoftwareUpdate.plist CriticalUpdateInstall`.strip
+        puts "  Auto Updates: #{autoCheck}"
+        puts "  Auto Download: #{automaticDownload}"
+        puts "  Auto Install: #{automaticallyInstallMacOSUpdates}"
+        puts "  Install Config Data: #{configDataInstall}"
+        puts "  Install Critical Updates: #{criticalUpdateInstall}"
+      end
+    end
+  end
+end

data/macos-artifacts.gemspec

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require_relative "lib/macos/artifacts/version"
+require_relative "lib/macos/artifacts/state"
+require_relative "lib/macos/artifacts/files"
+require_relative "lib/macos/artifacts/apps"
+require_relative "lib/macos/artifacts/help"
+
+Gem::Specification.new do |spec|
+  spec.name     = "macos-artifacts"
+  spec.version  = Macos::Artifacts::VERSION
+  spec.authors  = ["nic scott"]
+  spec.email    = ["nls.inbox@gmail.com"]
+  spec.summary  = %q{A collection of macOS artifacts}
+  spec.homepage = "https://github.com/nlscott/macos-artifacts"
+  spec.license  = "MIT"
+  spec.required_ruby_version = ">= 2.6.0"
+
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) ||
+        f.start_with?(*%w[bin/ test/ spec/ features/ .git .circleci appveyor Gemfile])
+    end
+  end
+  spec.bindir = "exe"
+  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  # Uncomment to register a new dependency of your gem
+  spec.add_development_dependency "bundler", ">= 2.2.33"
+  spec.add_development_dependency "CFPropertyList", ">= 3.0.6"
+end

data/sig/macos/artifacts.rbs

@@ -0,0 +1,6 @@
+module Macos
+  module Artifacts
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -0,0 +1,83 @@
+--- !ruby/object:Gem::Specification
+name: macos-artifacts
+version: !ruby/object:Gem::Version
+  version: 0.6.0
+platform: ruby
+authors:
+- nic scott
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2023-09-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.33
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.33
+- !ruby/object:Gem::Dependency
+  name: CFPropertyList
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.6
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.6
+description: 
+email:
+- nls.inbox@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/macos/artifacts.rb
+- lib/macos/artifacts/apps.rb
+- lib/macos/artifacts/files.rb
+- lib/macos/artifacts/help.rb
+- lib/macos/artifacts/state.rb
+- lib/macos/artifacts/version.rb
+- macos-artifacts.gemspec
+- sig/macos/artifacts.rbs
+homepage: https://github.com/nlscott/macos-artifacts
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.3
+signing_key: 
+specification_version: 4
+summary: A collection of macOS artifacts
+test_files: []