npm - nox-openclaw-hunter - Versions diffs - 1.0.0 - Mend

nox-openclaw-hunter 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (211) hide show

package/LICENSE +21 -0
package/README.md +140 -0
package/bin/nox.js +2 -0
package/dist/branding.d.ts +39 -0
package/dist/branding.d.ts.map +1 -0
package/dist/branding.js +66 -0
package/dist/branding.js.map +1 -0
package/dist/cli.d.ts +15 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +94 -0
package/dist/cli.js.map +1 -0
package/dist/commands/export.d.ts +21 -0
package/dist/commands/export.d.ts.map +1 -0
package/dist/commands/export.js +616 -0
package/dist/commands/export.js.map +1 -0
package/dist/commands/index.d.ts +8 -0
package/dist/commands/index.d.ts.map +1 -0
package/dist/commands/index.js +8 -0
package/dist/commands/index.js.map +1 -0
package/dist/commands/isolate.d.ts +30 -0
package/dist/commands/isolate.d.ts.map +1 -0
package/dist/commands/isolate.js +547 -0
package/dist/commands/isolate.js.map +1 -0
package/dist/commands/purge.d.ts +22 -0
package/dist/commands/purge.d.ts.map +1 -0
package/dist/commands/purge.js +295 -0
package/dist/commands/purge.js.map +1 -0
package/dist/commands/scan.d.ts +23 -0
package/dist/commands/scan.d.ts.map +1 -0
package/dist/commands/scan.js +155 -0
package/dist/commands/scan.js.map +1 -0
package/dist/detector/app-bundle.d.ts +13 -0
package/dist/detector/app-bundle.d.ts.map +1 -0
package/dist/detector/app-bundle.js +27 -0
package/dist/detector/app-bundle.js.map +1 -0
package/dist/detector/cli-binary.d.ts +12 -0
package/dist/detector/cli-binary.d.ts.map +1 -0
package/dist/detector/cli-binary.js +66 -0
package/dist/detector/cli-binary.js.map +1 -0
package/dist/detector/config.d.ts +21 -0
package/dist/detector/config.d.ts.map +1 -0
package/dist/detector/config.js +337 -0
package/dist/detector/config.js.map +1 -0
package/dist/detector/detection-config.d.ts +24 -0
package/dist/detector/detection-config.d.ts.map +1 -0
package/dist/detector/detection-config.js +242 -0
package/dist/detector/detection-config.js.map +1 -0
package/dist/detector/docker.d.ts +10 -0
package/dist/detector/docker.d.ts.map +1 -0
package/dist/detector/docker.js +94 -0
package/dist/detector/docker.js.map +1 -0
package/dist/detector/index.d.ts +50 -0
package/dist/detector/index.d.ts.map +1 -0
package/dist/detector/index.js +155 -0
package/dist/detector/index.js.map +1 -0
package/dist/detector/network.d.ts +34 -0
package/dist/detector/network.d.ts.map +1 -0
package/dist/detector/network.js +205 -0
package/dist/detector/network.js.map +1 -0
package/dist/detector/process.d.ts +16 -0
package/dist/detector/process.d.ts.map +1 -0
package/dist/detector/process.js +47 -0
package/dist/detector/process.js.map +1 -0
package/dist/detector/service.d.ts +17 -0
package/dist/detector/service.d.ts.map +1 -0
package/dist/detector/service.js +51 -0
package/dist/detector/service.js.map +1 -0
package/dist/enforcer/docker-cleaner.d.ts +30 -0
package/dist/enforcer/docker-cleaner.d.ts.map +1 -0
package/dist/enforcer/docker-cleaner.js +163 -0
package/dist/enforcer/docker-cleaner.js.map +1 -0
package/dist/enforcer/file-remover.d.ts +34 -0
package/dist/enforcer/file-remover.d.ts.map +1 -0
package/dist/enforcer/file-remover.js +137 -0
package/dist/enforcer/file-remover.js.map +1 -0
package/dist/enforcer/index.d.ts +33 -0
package/dist/enforcer/index.d.ts.map +1 -0
package/dist/enforcer/index.js +142 -0
package/dist/enforcer/index.js.map +1 -0
package/dist/enforcer/process-killer.d.ts +18 -0
package/dist/enforcer/process-killer.d.ts.map +1 -0
package/dist/enforcer/process-killer.js +80 -0
package/dist/enforcer/process-killer.js.map +1 -0
package/dist/enforcer/service-stopper.d.ts +23 -0
package/dist/enforcer/service-stopper.d.ts.map +1 -0
package/dist/enforcer/service-stopper.js +95 -0
package/dist/enforcer/service-stopper.js.map +1 -0
package/dist/index.d.ts +6 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +10 -0
package/dist/index.js.map +1 -0
package/dist/isolator/firewall.d.ts +25 -0
package/dist/isolator/firewall.d.ts.map +1 -0
package/dist/isolator/firewall.js +114 -0
package/dist/isolator/firewall.js.map +1 -0
package/dist/isolator/index.d.ts +63 -0
package/dist/isolator/index.d.ts.map +1 -0
package/dist/isolator/index.js +201 -0
package/dist/isolator/index.js.map +1 -0
package/dist/isolator/lockdown.d.ts +22 -0
package/dist/isolator/lockdown.d.ts.map +1 -0
package/dist/isolator/lockdown.js +401 -0
package/dist/isolator/lockdown.js.map +1 -0
package/dist/isolator/quarantine.d.ts +39 -0
package/dist/isolator/quarantine.d.ts.map +1 -0
package/dist/isolator/quarantine.js +364 -0
package/dist/isolator/quarantine.js.map +1 -0
package/dist/mdm/index.d.ts +93 -0
package/dist/mdm/index.d.ts.map +1 -0
package/dist/mdm/index.js +414 -0
package/dist/mdm/index.js.map +1 -0
package/dist/mdm/intune.d.ts +69 -0
package/dist/mdm/intune.d.ts.map +1 -0
package/dist/mdm/intune.js +409 -0
package/dist/mdm/intune.js.map +1 -0
package/dist/mdm/jamf.d.ts +58 -0
package/dist/mdm/jamf.d.ts.map +1 -0
package/dist/mdm/jamf.js +441 -0
package/dist/mdm/jamf.js.map +1 -0
package/dist/mdm/jumpcloud.d.ts +73 -0
package/dist/mdm/jumpcloud.d.ts.map +1 -0
package/dist/mdm/jumpcloud.js +470 -0
package/dist/mdm/jumpcloud.js.map +1 -0
package/dist/mdm/templates/detect.ps1.d.ts +30 -0
package/dist/mdm/templates/detect.ps1.d.ts.map +1 -0
package/dist/mdm/templates/detect.ps1.js +463 -0
package/dist/mdm/templates/detect.ps1.js.map +1 -0
package/dist/mdm/templates/detect.sh.d.ts +30 -0
package/dist/mdm/templates/detect.sh.d.ts.map +1 -0
package/dist/mdm/templates/detect.sh.js +474 -0
package/dist/mdm/templates/detect.sh.js.map +1 -0
package/dist/mdm/templates/enforce.ps1.d.ts +33 -0
package/dist/mdm/templates/enforce.ps1.d.ts.map +1 -0
package/dist/mdm/templates/enforce.ps1.js +681 -0
package/dist/mdm/templates/enforce.ps1.js.map +1 -0
package/dist/mdm/templates/enforce.sh.d.ts +33 -0
package/dist/mdm/templates/enforce.sh.d.ts.map +1 -0
package/dist/mdm/templates/enforce.sh.js +591 -0
package/dist/mdm/templates/enforce.sh.js.map +1 -0
package/dist/platform/darwin.d.ts +6 -0
package/dist/platform/darwin.d.ts.map +1 -0
package/dist/platform/darwin.js +192 -0
package/dist/platform/darwin.js.map +1 -0
package/dist/platform/index.d.ts +43 -0
package/dist/platform/index.d.ts.map +1 -0
package/dist/platform/index.js +27 -0
package/dist/platform/index.js.map +1 -0
package/dist/platform/linux.d.ts +6 -0
package/dist/platform/linux.d.ts.map +1 -0
package/dist/platform/linux.js +134 -0
package/dist/platform/linux.js.map +1 -0
package/dist/platform/windows.d.ts +6 -0
package/dist/platform/windows.d.ts.map +1 -0
package/dist/platform/windows.js +134 -0
package/dist/platform/windows.js.map +1 -0
package/dist/reporter/console.d.ts +27 -0
package/dist/reporter/console.d.ts.map +1 -0
package/dist/reporter/console.js +431 -0
package/dist/reporter/console.js.map +1 -0
package/dist/reporter/index.d.ts +11 -0
package/dist/reporter/index.d.ts.map +1 -0
package/dist/reporter/index.js +13 -0
package/dist/reporter/index.js.map +1 -0
package/dist/reporter/json.d.ts +61 -0
package/dist/reporter/json.d.ts.map +1 -0
package/dist/reporter/json.js +75 -0
package/dist/reporter/json.js.map +1 -0
package/dist/reporter/webhook.d.ts +57 -0
package/dist/reporter/webhook.d.ts.map +1 -0
package/dist/reporter/webhook.js +230 -0
package/dist/reporter/webhook.js.map +1 -0
package/dist/types/config.d.ts +116 -0
package/dist/types/config.d.ts.map +1 -0
package/dist/types/config.js +6 -0
package/dist/types/config.js.map +1 -0
package/dist/types/detection.d.ts +85 -0
package/dist/types/detection.d.ts.map +1 -0
package/dist/types/detection.js +5 -0
package/dist/types/detection.js.map +1 -0
package/dist/types/enforcement.d.ts +33 -0
package/dist/types/enforcement.d.ts.map +1 -0
package/dist/types/enforcement.js +5 -0
package/dist/types/enforcement.js.map +1 -0
package/dist/types/index.d.ts +8 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +8 -0
package/dist/types/index.js.map +1 -0
package/dist/types/isolation.d.ts +55 -0
package/dist/types/isolation.d.ts.map +1 -0
package/dist/types/isolation.js +5 -0
package/dist/types/isolation.js.map +1 -0
package/dist/utils/exec.d.ts +48 -0
package/dist/utils/exec.d.ts.map +1 -0
package/dist/utils/exec.js +103 -0
package/dist/utils/exec.js.map +1 -0
package/dist/utils/fs.d.ts +34 -0
package/dist/utils/fs.d.ts.map +1 -0
package/dist/utils/fs.js +111 -0
package/dist/utils/fs.js.map +1 -0
package/dist/utils/index.d.ts +7 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +7 -0
package/dist/utils/index.js.map +1 -0
package/dist/utils/logger.d.ts +14 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +48 -0
package/dist/utils/logger.js.map +1 -0
package/docs/intune.md +390 -0
package/docs/jamf.md +400 -0
package/docs/jumpcloud.md +510 -0
package/package.json +65 -0

package/docs/jamf.md ADDED Viewed

@@ -0,0 +1,400 @@
+# Jamf Pro Integration Guide
+Deploy Nox OpenClaw detection and enforcement scripts across your macOS fleet using Jamf Pro.
+## Overview
+This guide explains how to:
+1. Add detection and enforcement scripts to Jamf Pro
+2. Create policies for automated scanning
+3. Set up extension attributes for inventory
+4. Create Smart Groups for targeting
+5. Configure webhook integration for SIEM alerting
+## Prerequisites
+- Jamf Pro 10.x or later
+- macOS 10.15+ managed devices
+- Admin access to Jamf Pro console
+- (Optional) Webhook endpoint for SIEM integration
+## Quick Start
+1. Generate scripts:
+   ```bash
+   nox export --platform jamf --mode detect --output ./jamf-scripts
+   nox export --platform jamf --mode enforce --output ./jamf-scripts
+   ```
+2. Upload scripts to Jamf Pro
+3. Create detection policy with recurring trigger
+4. (Optional) Create enforcement policy scoped to detected devices
+## Script Setup
+### Step 1: Generate Scripts
+Generate Jamf-optimized scripts using the CLI:
+```bash
+# Detection script
+nox export --platform jamf --mode detect --output ./jamf-scripts
+# Enforcement script
+nox export --platform jamf --mode enforce --output ./jamf-scripts
+# With webhook integration
+nox export --platform jamf --mode detect \
+  --webhook https://siem.example.com/webhook \
+  --webhook-token YOUR_TOKEN \
+  --output ./jamf-scripts
+```
+### Step 2: Add Detection Script
+1. Navigate to **Settings > Computer Management > Scripts**
+2. Click **+ New**
+3. Configure the **General** tab:
+   - **Display Name:** Nox OpenClaw Detection
+   - **Category:** Security
+   - **Info:** Detects OpenClaw AI agent installations
+   - **Notes:** Generated by nox-openclaw-detector v1.0.0
+4. Configure the **Script** tab:
+   - Paste contents of `detect-openclaw.sh`
+5. Configure the **Options** tab:
+   - **Priority:** Before
+   - **Parameter 4 Label:** Webhook URL
+   - **Parameter 5 Label:** Webhook Token
+   - **Parameter 6 Label:** Verbose Mode (true/false)
+6. Click **Save**
+### Step 3: Add Enforcement Script
+1. Navigate to **Settings > Computer Management > Scripts**
+2. Click **+ New**
+3. Configure the **General** tab:
+   - **Display Name:** Nox OpenClaw Enforcement
+   - **Category:** Security
+   - **Info:** Removes OpenClaw AI agent installations
+4. Configure the **Script** tab:
+   - Paste contents of `enforce-openclaw.sh`
+5. Configure the **Options** tab:
+   - **Priority:** Before
+   - **Parameter 4 Label:** Webhook URL
+   - **Parameter 5 Label:** Webhook Token
+   - **Parameter 6 Label:** Quarantine Mode (true/false)
+   - **Parameter 7 Label:** Verbose Mode (true/false)
+6. Click **Save**
+## Extension Attribute
+Create an extension attribute to report OpenClaw status in Jamf inventory.
+### Add Extension Attribute
+1. Navigate to **Settings > Computer Management > Extension Attributes**
+2. Click **+ New**
+3. Configure:
+   - **Display Name:** OpenClaw Status
+   - **Description:** Reports OpenClaw installation status
+   - **Data Type:** String
+   - **Inventory Display:** General
+   - **Input Type:** Script
+4. Paste the extension attribute script:
+```bash
+#!/bin/bash
+# Nox OpenClaw Detection - Jamf Extension Attribute
+OPENCLAW_STATUS="Not Installed"
+# Check CLI binary
+if command -v openclaw &>/dev/null; then
+    OPENCLAW_STATUS="Installed"
+fi
+# Check common paths
+for path in /usr/local/bin/openclaw /opt/homebrew/bin/openclaw; do
+    if [[ -f "$path" ]]; then
+        OPENCLAW_STATUS="Installed"
+        break
+    fi
+done
+# Check app bundle
+if [[ -d "/Applications/OpenClaw.app" ]]; then
+    OPENCLAW_STATUS="Installed"
+fi
+# Check config directory
+if [[ -d "$HOME/.openclaw" ]] || ls -d /Users/*/.openclaw &>/dev/null 2>&1; then
+    OPENCLAW_STATUS="Installed"
+fi
+# Check if running
+if pgrep -f "openclaw" > /dev/null 2>&1; then
+    OPENCLAW_STATUS="Running"
+fi
+# Check gateway port
+if nc -z localhost 18789 2>/dev/null; then
+    OPENCLAW_STATUS="Running"
+fi
+echo "<result>$OPENCLAW_STATUS</result>"
+```
+5. Click **Save**
+### Extension Attribute Values
+| Value | Meaning |
+|-------|---------|
+| `Not Installed` | No OpenClaw components found |
+| `Installed` | OpenClaw detected but not actively running |
+| `Running` | OpenClaw is actively running |
+## Policy Configuration
+### Detection Policy
+Create a policy to run detection on a schedule.
+1. Navigate to **Computers > Policies**
+2. Click **+ New**
+3. Configure **General**:
+   - **Display Name:** Nox OpenClaw Detection
+   - **Enabled:** Yes
+   - **Trigger:** Recurring Check-in
+   - **Execution Frequency:** Once per day
+4. Configure **Scripts**:
+   - Click **Configure**
+   - Add "Nox OpenClaw Detection" script
+   - Set parameter values:
+     - **Parameter 4 (Webhook URL):** Your SIEM webhook URL
+     - **Parameter 5 (Webhook Token):** Your authentication token
+     - **Parameter 6 (Verbose):** false
+5. Configure **Scope**:
+   - **Targets:** All Managed Clients (or specific groups)
+6. Click **Save**
+### Enforcement Policy
+Create a policy to remediate detected installations.
+1. Navigate to **Computers > Policies**
+2. Click **+ New**
+3. Configure **General**:
+   - **Display Name:** Nox OpenClaw Enforcement
+   - **Enabled:** Yes (or No for manual trigger only)
+   - **Trigger:** Custom (see below) or Recurring Check-in
+   - **Execution Frequency:** Ongoing
+4. Configure **Scripts**:
+   - Add "Nox OpenClaw Enforcement" script
+   - Set parameter values as needed
+5. Configure **Scope**:
+   - **Targets:** Smart Group "OpenClaw Detected" (see below)
+6. Click **Save**
+### Self Service Policy (Optional)
+Allow users or IT to manually run enforcement:
+1. Create policy as above
+2. Set **Trigger:** Self Service
+3. Configure **Self Service**:
+   - **Make the policy available in Self Service:** Yes
+   - **Button Name:** Remove OpenClaw
+   - **Description:** Removes unauthorized AI agent software
+## Smart Groups
+### OpenClaw Detected
+Identify devices with OpenClaw installed:
+1. Navigate to **Computers > Smart Computer Groups**
+2. Click **+ New**
+3. Configure:
+   - **Display Name:** OpenClaw Detected
+   - **Criteria:**
+| And/Or | Criteria | Operator | Value |
+|--------|----------|----------|-------|
+| | Extension Attribute: OpenClaw Status | is | Installed |
+| or | Extension Attribute: OpenClaw Status | is | Running |
+4. Click **Save**
+### OpenClaw Running
+Identify devices actively running OpenClaw (high priority):
+1. Navigate to **Computers > Smart Computer Groups**
+2. Click **+ New**
+3. Configure:
+   - **Display Name:** OpenClaw Running
+   - **Criteria:**
+| Criteria | Operator | Value |
+|----------|----------|-------|
+| Extension Attribute: OpenClaw Status | is | Running |
+4. Click **Save**
+### OpenClaw Clean
+Identify devices without OpenClaw (for compliance reporting):
+1. Create Smart Group with criteria:
+| Criteria | Operator | Value |
+|----------|----------|-------|
+| Extension Attribute: OpenClaw Status | is | Not Installed |
+## Exit Codes
+Scripts report these exit codes to Jamf:
+| Code | Detection Meaning | Enforcement Meaning | Jamf Behavior |
+|------|-------------------|---------------------|---------------|
+| 0 | Not detected | Successful removal | Policy marked successful |
+| 1 | Detected | Partial failure | Policy marked failed |
+| 2 | Script error | Script error | Policy marked failed |
+| 3 | N/A | Nothing to remove | Policy marked successful |
+## Webhook Integration
+### Configure Webhooks in Policy
+Set webhook parameters in the policy script configuration:
+- **Parameter 4:** `https://siem.example.com/api/v1/events`
+- **Parameter 5:** `Bearer YOUR_API_TOKEN`
+### Webhook Payload
+Detection events send this payload:
+```json
+{
+  "event": "openclaw.detection",
+  "version": "1.0",
+  "timestamp": "2026-02-03T10:30:00Z",
+  "status": "detected",
+  "severity": "high",
+  "host": {
+    "hostname": "MacBook-Pro.local",
+    "os": "Darwin",
+    "arch": "arm64",
+    "user": "jsmith"
+  },
+  "jamf": {
+    "computer_name": "MacBook-Pro.local",
+    "mount_point": "/",
+    "username": "jsmith"
+  },
+  "details": "CLI found at /usr/local/bin/openclaw; Config directory found",
+  "source": {
+    "tool": "nox-openclaw-detector",
+    "version": "1.0.0",
+    "vendor": "Nox Security"
+  }
+}
+```
+### SIEM Queries
+Example Splunk query:
+```splunk
+index=security sourcetype=nox_openclaw event=openclaw.detection status=detected
+| stats count by host.hostname, details
+| sort -count
+```
+Example Datadog query:
+```
+source:nox_openclaw status:detected | count by host
+```
+## Advanced Configurations
+### Staged Rollout
+1. Create a static group with pilot devices
+2. Scope detection policy to pilot group first
+3. Monitor results for 1-2 weeks
+4. Expand scope to all managed devices
+### Automated Remediation Workflow
+1. Detection policy runs daily
+2. Smart Group "OpenClaw Detected" updates automatically
+3. Enforcement policy scoped to Smart Group runs immediately
+4. Webhook alerts security team of both events
+### Compliance Reporting
+Create an Advanced Search:
+1. Navigate to **Computers > Search Inventory**
+2. Create criteria: Extension Attribute "OpenClaw Status" is not "Not Installed"
+3. Save as "OpenClaw Compliance Report"
+4. Schedule email delivery to security team
+## Troubleshooting
+### Script Not Running
+1. Verify policy scope includes target computers
+2. Check policy trigger and frequency settings
+3. Ensure computer is checking in to Jamf
+4. Review **Management > Logs** on the computer
+### Permission Errors
+1. Scripts should run as root (default for policies)
+2. Check for SIP restrictions on certain paths
+3. Verify MDM profile allows script execution
+### Extension Attribute Not Updating
+1. Force inventory update: `sudo jamf recon`
+2. Check extension attribute is enabled
+3. Verify script syntax is correct
+### Webhook Failures
+1. Verify URL is accessible from managed devices
+2. Check firewall rules allow outbound HTTPS
+3. Validate bearer token
+4. Add verbose logging to troubleshoot:
+   - Set Parameter 6 to `true`
+   - Check policy logs in Jamf
+### False Negatives
+If OpenClaw is installed but not detected:
+1. Check for non-standard installation paths
+2. Verify detection script has latest signatures
+3. Run with verbose mode enabled
+4. Report to support@nox.security
+## Best Practices
+1. **Test First**: Deploy to a pilot group before fleet-wide rollout
+2. **Schedule Off-Hours**: Run detection during low-usage periods
+3. **Monitor Results**: Review Jamf logs and Smart Group membership regularly
+4. **Use Webhooks**: Integrate with SIEM for centralized alerting
+5. **Document Exceptions**: Track any approved OpenClaw installations
+6. **Regular Updates**: Update scripts when new versions are available
+## Support
+- Email: support@nox.security
+- Documentation: https://docs.nox.security/jamf
+- Jamf Marketplace: [Nox OpenClaw Detector](https://marketplace.jamf.com)