diff --git a/README.md b/README.md index e34d265..bc6c6a8 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ![](https://github.com/jamf/aftermath/blob/main/AftermathLogo.png) -![](https://img.shields.io/badge/release-2.2.0-bright%20green) ![](https://img.shields.io/badge/macOS-12.0%2B-blue) ![](https://img.shields.io/badge/license-MIT-orange) +![](https://img.shields.io/badge/release-2.2.1-bright%20green) ![](https://img.shields.io/badge/macOS-12.0%2B-blue) ![](https://img.shields.io/badge/license-MIT-orange) ## About @@ -66,6 +66,61 @@ tcc: process == "tccd" ### Note Because `eslogger` and `tcpdump` run on additional threads and the goal is to collect as much data from them as possible, they exit when aftermath exits. Because of this, the last line of the eslogger json file or the pcap file generated from tcpdump may be truncated. +### File Collection List +- Artifacts + - Configuration Profiles + - Log Files + - LSQuarantine Database + - Shell History and Profiles (bash, csh, fish, ksh, zsh) + - TCC Database + - XBS Database (XProtect Behabioral Service) +- Filesystem + - Browser Data (Cookies, Downloads, Extensions, History) + - Arc + - Brave + - Chrome + - Edge + - Firefox + - Safari + - File Data + - Walk common directories to get accessed, birth, modified timestamps + - Slack +- Memory + - Calculate data based on current memory usage, swap, etc. +- Network + - Active network connections + - Airport Preferences +- Persistence + - BTM Database + - Cron + - Emond + - Launch Items + - Launch Agents + - Launch Daemons + - Login Hooks + - Login Items + - Overrides + - launchd Overrides + - MDM Overrides + - Periodic Scripts + - System Extensions +- Processes + - Leverage [TrueTree](https://github.com/themittenmac/TrueTree) to create process tree +- System Recon + - Environment Variables + - Install History + - Installed Applications + - Installed Users + - Interfaces + - MRT Version + - Running Applications + - Security Assessment (SIP status, Gatekeeper status, Firewall status, Filevault status, Remote Login, Airdrop status, I/O statistics, Screensharing status, Login History, Network Interface Parameters) + - XProtect Version + - XProtect Remediator (XPR) Version +- Unified Logs + - Default Unified Logs (failed_sudo, login, manual_configuration_profile_install, screensharing, ssh, tcc, xprotect_remediator) + - Additional can be passed in at runtime + ## Releases There is an Aftermath.pkg available under [Releases](https://github.com/jamf/aftermath/releases). This pkg is signed and notarized. It will install the aftermath binary at `/usr/local/bin/`. This would be the ideal way to deploy via MDM. Since this is installed in `bin`, you can then run aftermath like ```bash diff --git a/aftermath/Command.swift b/aftermath/Command.swift index c4e21e8..7e3e24d 100644 --- a/aftermath/Command.swift +++ b/aftermath/Command.swift @@ -28,7 +28,7 @@ class Command { static var collectDirs: [String] = [] static var unifiedLogsFile: String? = nil static var esLogs: [String] = ["create", "exec", "mmap"] - static let version: String = "2.2.0" + static let version: String = "2.2.1" static var disableFeatures: [String:Bool] = ["all": false, "browsers": false, "browser-killswitch": false, "databases": false, "filesystem": false, "proc-info": false, "slack": false, "ul": false] static func main() { diff --git a/analysis/DatabaseParser.swift b/analysis/DatabaseParser.swift index c976f17..8b07906 100644 --- a/analysis/DatabaseParser.swift +++ b/analysis/DatabaseParser.swift @@ -328,6 +328,7 @@ class DatabaseParser: AftermathModule { case contacts_full = "kTCCServiceContactsFull" case contacts_limited = "kTCCServiceContactsLimited" case currentLocation = "kTCCServiceLocation" + case endpointSecurity = "kTCCServiceEndpointSecurityClient" case fileAccess = "kTCCServiceFileProviderDomain" case fileAccess_request = "kTCCServiceFileProviderPresence" case fitness = "kTCCServiceMotion" diff --git a/libs/launchdXPC/launchdXPC.m b/libs/launchdXPC/launchdXPC.m index edfcf13..2c70f00 100644 --- a/libs/launchdXPC/launchdXPC.m +++ b/libs/launchdXPC/launchdXPC.m @@ -1,5 +1,5 @@ // -// launchdXPC.c +// launchdXPC.m // Created by Patrick Wardle // Ported from code by Jonathan Levin // @@ -367,7 +367,7 @@ hit up launchd (via XPC) to get process info //end key line? (line: "}") // remove dictionary, as it's no longer needed - if(YES == [obj hasSuffix:@"}"]) + if(YES == [obj isEqualToString:@"}"]) { //remove [dictionaries removeLastObject]; diff --git a/persistence/Overrides.swift b/persistence/Overrides.swift index 1e0aba7..30e0c3d 100644 --- a/persistence/Overrides.swift +++ b/persistence/Overrides.swift @@ -15,7 +15,7 @@ class Overrides: PersistenceModule { self.saveToRawDir = saveToRawDir } - func collectOverrides(urlLocations: [URL], capturedFile: URL) { + func collectLaunchdOverrides(urlLocations: [URL], capturedFile: URL) { for url in urlLocations { let plistDict = Aftermath.getPlistAsDict(atUrl: url) @@ -25,14 +25,20 @@ class Overrides: PersistenceModule { } } + func collectMdmOverrides(path: String) { + self.copyFileToCase(fileToCopy: URL(fileURLWithPath: path), toLocation: moduleDirRoot) + } + override func run() { - self.log("Collecting overrides...") + self.log("Collecting all overrides...") + // launchd overrides let capturedOverridesFile = self.createNewCaseFile(dirUrl: moduleDirRoot, filename: "overrides.txt") - let overrides = filemanager.filesInDirRecursive(path: "/var/db/launchd.db/com.apple.launchd/") + collectLaunchdOverrides(urlLocations: overrides, capturedFile: capturedOverridesFile) - collectOverrides(urlLocations: overrides, capturedFile: capturedOverridesFile) - + // mdm overrides + let mdmOverridesFile = "/Library/Application Support/com.apple.TCC/MDMOverrides.plist" + collectMdmOverrides(path: mdmOverridesFile) } }