Merge pull request #60 from jamf/dev

New functionality and bug fixes

README.md

@@ -2,7 +2,7 @@
 ![](https://github.com/jamf/aftermath/blob/main/AftermathLogo.png)
 
 
-![](https://img.shields.io/badge/release-2.0.0-bright%20green) ![](https://img.shields.io/badge/macOS-12.0%2B-blue) ![](https://img.shields.io/badge/license-MIT-orange)
+![](https://img.shields.io/badge/release-2.2.1-bright%20green) ![](https://img.shields.io/badge/macOS-12.0%2B-blue) ![](https://img.shields.io/badge/license-MIT-orange)
 
 
 ## About
@@ -66,6 +66,59 @@ tcc: process == "tccd"
 ### Note
 Because `eslogger` and `tcpdump` run on additional threads and the goal is to collect as much data from them as possible, they exit when aftermath exits. Because of this, the last line of the eslogger json file or the pcap file generated from tcpdump may be truncated.
 
+### File Collection List
+- Artifacts
+    - Configuration Profiles
+    - Log Files
+    - LSQuarantine Database
+    - Shell History and Profiles (bash, csh, fish, ksh, zsh)
+    - TCC Database
+    - XBS Database (XProtect Behabioral Service)
+- Filesystem
+    - Browser Data (Cookies, Downloads, Extensions, History)
+        - Arc
+        - Brave
+        - Chrome
+        - Edge
+        - Firefox
+        - Safari
+    - File Data
+        - Walk common directories to get accessed, birth, modified timestamps
+    - Slack
+- Network
+    - Active network connections
+    - Airport Preferences
+- Persistence
+    - BTM Database
+    - Cron
+    - Emond
+    - Launch Items
+        - Launch Agents
+        - Launch Daemons
+    - Login Hooks
+    - Login Items
+    - Overrides
+        - launchd Overrides
+        - MDM Overrides
+    - Periodic Scripts
+    - System Extensions
+- Processes
+    - Leverage [TrueTree](https://github.com/themittenmac/TrueTree) to create process tree 
+- System Recon
+    - Environment Variables
+    - Install History
+    - Installed Applications
+    - Installed Users
+    - Interfaces
+    - MRT Version
+    - Running Applications
+    - Security Assessment (SIP status, Gatekeeper status, Firewall status, Filevault status, Remote Login, Airdrop status, I/O statistics, Screensharing status, Login History, Network Interface Parameters)
+    - XProtect Version
+    - XProtect Remediator (XPR) Version
+- Unified Logs
+    - Default Unified Logs (failed_sudo, login, manual_configuration_profile_install, screensharing, ssh, tcc, xprotect_remediator)
+    - Additional can be passed in at runtime
+
 ## Releases
 There is an Aftermath.pkg available under [Releases](https://github.com/jamf/aftermath/releases). This pkg is signed and notarized. It will install the aftermath binary at `/usr/local/bin/`. This would be the ideal way to deploy via MDM. Since this is installed in `bin`, you can then run aftermath like
 ```bash
@@ -84,14 +137,16 @@ To uninstall the aftermath binary, run the `AftermathUninstaller.pkg` from the [
     usage: --collect-dirs <path_to_dir> <path_to_another_dir>
 --deep or -d -> perform a deep scan of the file system for modified and accessed timestamped metadata
     WARNING: This will be a time-intensive, memory-consuming scan.
- --es-logs -> specify which Endpoint Security events (space-separated) to collect (defaults are: create exec mmap). To disable, see --disable-es-logs
+--disable -> disable a set of aftermath features that may collect personal user data
+    Available features to disable: browsers -> collecting browser information | browser-killswitch -> force-closes browers | -> databases -> tcc & lsquarantine databases | filesystem -> walking the filesystem for timestamps | proc-info -> collecting process information via TrueTree and eslogger | slack -> slack data | ul -> unified logging modules | all -> all aforementioned options 
+    usage: --disable browsers browser-killswitch databases filesystem proc-info slack
+           --disable all
+--es-logs -> specify which Endpoint Security events (space-separated) to collect (defaults are: create exec mmap). To disable, see --disable es-logs
     usage: --es-logs setuid unmount write
 --logs -> specify an external text file with unified log predicates (as dictionary objects) to parse
     usage: --logs /Users/<USER>/Desktop/myPredicates.txt
 -o or --output -> specify an output location for Aftermath collection results (defaults to /tmp)
      usage: -o Users/user/Desktop
---disable-browser-killswitch -> by default, browsers are force-closed during collection. This will disable the force-closing of browsers.
---disable-es-logs -> by default, es logs of create, exec, and mmap are collected. This will disable this default behavior
 --pretty -> colorize Terminal output
 --cleanup -> remove Aftermath folders from default locations ("/tmp", "/var/folders/zz/) 
 ```

aftermath.xcodeproj/project.pbxproj

@@ -16,6 +16,8 @@
 		5E93B0AE2941608D009D2AB5 /* Data.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5E93B0AD2941608D009D2AB5 /* Data.swift */; };
 		5E93B0B0294160B6009D2AB5 /* String.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5E93B0AF294160B6009D2AB5 /* String.swift */; };
 		5EA438FF2A7010FF00F3E2B9 /* XProtectBehavioralService.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5EA438FE2A7010FF00F3E2B9 /* XProtectBehavioralService.swift */; };
+		5ECE5DC12ADF2B4A00939BB0 /* BTM.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5ECE5DC02ADF2B4A00939BB0 /* BTM.swift */; };
+		5EFDDCD72AC6661A00EEF193 /* Brave.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5EFDDCD62AC6661A00EEF193 /* Brave.swift */; };
 		70A44403275707A90035F40E /* SystemReconModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = 70A44402275707A90035F40E /* SystemReconModule.swift */; };
 		70A44405275A76990035F40E /* LSQuarantine.swift in Sources */ = {isa = PBXBuildFile; fileRef = 70A44404275A76990035F40E /* LSQuarantine.swift */; };
 		70CF9E3A27611C6100FD884B /* ShellHistoryAndProfiles.swift in Sources */ = {isa = PBXBuildFile; fileRef = 70CF9E3927611C6100FD884B /* ShellHistoryAndProfiles.swift */; };
@@ -28,7 +30,6 @@
 		A02509F428ADB1A80030D6A7 /* CHelpers.swift in Sources */ = {isa = PBXBuildFile; fileRef = A02509F328ADB1A80030D6A7 /* CHelpers.swift */; };
 		A029AB152876A02800649701 /* ProcessModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A029AB142876A02800649701 /* ProcessModule.swift */; };
 		A029AB192876A29600649701 /* Pids.swift in Sources */ = {isa = PBXBuildFile; fileRef = A029AB182876A29600649701 /* Pids.swift */; };
-		A029AB1C28774CA400649701 /* Tree.swift in Sources */ = {isa = PBXBuildFile; fileRef = A029AB1B28774CA400649701 /* Tree.swift */; };
 		A029AB2B2877F52D00649701 /* launchdXPC.m in Sources */ = {isa = PBXBuildFile; fileRef = A029AB2A2877F52D00649701 /* launchdXPC.m */; };
 		A05BF3BD284FF8C0009E197B /* FileSystemModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A05BF3BC284FF8C0009E197B /* FileSystemModule.swift */; };
 		A05BF3BF284FF8CF009E197B /* Slack.swift in Sources */ = {isa = PBXBuildFile; fileRef = A05BF3BE284FF8CF009E197B /* Slack.swift */; };
@@ -62,6 +63,9 @@
 		A1E433E528B9270800E2B510 /* dummyPlist.plist in Resources */ = {isa = PBXBuildFile; fileRef = A1E433E428B9270800E2B510 /* dummyPlist.plist */; };
 		A3046F8E27627DAC0069AA21 /* Module.swift in Sources */ = {isa = PBXBuildFile; fileRef = A3046F8D27627DAC0069AA21 /* Module.swift */; };
 		A3046F902763AE5E0069AA21 /* CaseFiles.swift in Sources */ = {isa = PBXBuildFile; fileRef = A3046F8F2763AE5E0069AA21 /* CaseFiles.swift */; };
+		A31009A42B9B838100068593 /* Network.swift in Sources */ = {isa = PBXBuildFile; fileRef = A31009A32B9B838100068593 /* Network.swift */; };
+		A31009A62B9B83E300068593 /* Node.swift in Sources */ = {isa = PBXBuildFile; fileRef = A31009A52B9B83E300068593 /* Node.swift */; };
+		A31009A82B9B845E00068593 /* Processes.swift in Sources */ = {isa = PBXBuildFile; fileRef = A31009A72B9B845E00068593 /* Processes.swift */; };
 		A3745358275730870074B65C /* LaunchItems.swift in Sources */ = {isa = PBXBuildFile; fileRef = A3745357275730870074B65C /* LaunchItems.swift */; };
 		A374535A275735B40074B65C /* LoginHooks.swift in Sources */ = {isa = PBXBuildFile; fileRef = A3745359275735B40074B65C /* LoginHooks.swift */; };
 		A374535D2757C1300074B65C /* FileManager.swift in Sources */ = {isa = PBXBuildFile; fileRef = A374535C2757C1300074B65C /* FileManager.swift */; };
@@ -90,6 +94,8 @@
 		5E93B0AD2941608D009D2AB5 /* Data.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Data.swift; sourceTree = "<group>"; };
 		5E93B0AF294160B6009D2AB5 /* String.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = String.swift; sourceTree = "<group>"; };
 		5EA438FE2A7010FF00F3E2B9 /* XProtectBehavioralService.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = XProtectBehavioralService.swift; sourceTree = "<group>"; };
+		5ECE5DC02ADF2B4A00939BB0 /* BTM.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = BTM.swift; sourceTree = "<group>"; };
+		5EFDDCD62AC6661A00EEF193 /* Brave.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Brave.swift; sourceTree = "<group>"; };
 		70A44402275707A90035F40E /* SystemReconModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SystemReconModule.swift; sourceTree = "<group>"; };
 		70A44404275A76990035F40E /* LSQuarantine.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LSQuarantine.swift; sourceTree = "<group>"; };
 		70CF9E3927611C6100FD884B /* ShellHistoryAndProfiles.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ShellHistoryAndProfiles.swift; sourceTree = "<group>"; };
@@ -102,7 +108,6 @@
 		A02509F328ADB1A80030D6A7 /* CHelpers.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CHelpers.swift; sourceTree = "<group>"; };
 		A029AB142876A02800649701 /* ProcessModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ProcessModule.swift; sourceTree = "<group>"; };
 		A029AB182876A29600649701 /* Pids.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Pids.swift; sourceTree = "<group>"; };
-		A029AB1B28774CA400649701 /* Tree.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Tree.swift; sourceTree = "<group>"; };
 		A029AB282877F4F400649701 /* module.modulemap */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.module-map"; path = module.modulemap; sourceTree = "<group>"; };
 		A029AB292877F50900649701 /* launchdXPC.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = launchdXPC.h; sourceTree = "<group>"; };
 		A029AB2A2877F52D00649701 /* launchdXPC.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = launchdXPC.m; sourceTree = "<group>"; };
@@ -138,6 +143,9 @@
 		A1E433E428B9270800E2B510 /* dummyPlist.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = dummyPlist.plist; sourceTree = "<group>"; };
 		A3046F8D27627DAC0069AA21 /* Module.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Module.swift; sourceTree = "<group>"; };
 		A3046F8F2763AE5E0069AA21 /* CaseFiles.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CaseFiles.swift; sourceTree = "<group>"; };
+		A31009A32B9B838100068593 /* Network.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Network.swift; sourceTree = "<group>"; };
+		A31009A52B9B83E300068593 /* Node.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Node.swift; sourceTree = "<group>"; };
+		A31009A72B9B845E00068593 /* Processes.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Processes.swift; sourceTree = "<group>"; };
 		A3745357275730870074B65C /* LaunchItems.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LaunchItems.swift; sourceTree = "<group>"; };
 		A3745359275735B40074B65C /* LoginHooks.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = LoginHooks.swift; sourceTree = "<group>"; };
 		A374535C2757C1300074B65C /* FileManager.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = FileManager.swift; sourceTree = "<group>"; };
@@ -213,7 +221,9 @@
 			children = (
 				A029AB142876A02800649701 /* ProcessModule.swift */,
 				A029AB182876A29600649701 /* Pids.swift */,
-				A029AB1B28774CA400649701 /* Tree.swift */,
+				A31009A32B9B838100068593 /* Network.swift */,
+				A31009A52B9B83E300068593 /* Node.swift */,
+				A31009A72B9B845E00068593 /* Processes.swift */,
 			);
 			path = processes;
 			sourceTree = "<group>";
@@ -264,6 +274,7 @@
 				A09B239B2848F6050062D592 /* Periodic.swift */,
 				A007834D28947D71008489EA /* Emond.swift */,
 				A007834F28947E80008489EA /* LoginItems.swift */,
+				5ECE5DC02ADF2B4A00939BB0 /* BTM.swift */,
 			);
 			path = persistence;
 			sourceTree = "<group>";
@@ -290,6 +301,7 @@
 				A0E1E3EE275EC810008D0DC6 /* Safari.swift */,
 				5E6780F12922E7E800BAF04B /* Edge.swift */,
 				5E4BC8FF29D75A8E0004DAA6 /* Arc.swift */,
+				5EFDDCD62AC6661A00EEF193 /* Brave.swift */,
 			);
 			path = browsers;
 			sourceTree = "<group>";
@@ -520,6 +532,7 @@
 			isa = PBXSourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				5EFDDCD72AC6661A00EEF193 /* Brave.swift in Sources */,
 				A3CD4E56274434EE00869ECB /* Command.swift in Sources */,
 				5E494475293D50FE007FFBDD /* ConfigurationProfiles.swift in Sources */,
 				5E4BC90029D75A8E0004DAA6 /* Arc.swift in Sources */,
@@ -531,9 +544,9 @@
 				A3046F902763AE5E0069AA21 /* CaseFiles.swift in Sources */,
 				A029AB152876A02800649701 /* ProcessModule.swift in Sources */,
 				5E6780F22922E7E800BAF04B /* Edge.swift in Sources */,
-				A029AB1C28774CA400649701 /* Tree.swift in Sources */,
 				A007835028947E80008489EA /* LoginItems.swift in Sources */,
 				A0C930D428A4318F0011FB87 /* Timeline.swift in Sources */,
+				5ECE5DC12ADF2B4A00939BB0 /* BTM.swift in Sources */,
 				A374535A275735B40074B65C /* LoginHooks.swift in Sources */,
 				70CF9E3A27611C6100FD884B /* ShellHistoryAndProfiles.swift in Sources */,
 				A0E1E3EB275EC800008D0DC6 /* Firefox.swift in Sources */,
@@ -544,6 +557,8 @@
 				A02509F428ADB1A80030D6A7 /* CHelpers.swift in Sources */,
 				70A44403275707A90035F40E /* SystemReconModule.swift in Sources */,
 				A029AB2B2877F52D00649701 /* launchdXPC.m in Sources */,
+				A31009A42B9B838100068593 /* Network.swift in Sources */,
+				A31009A82B9B845E00068593 /* Processes.swift in Sources */,
 				A0E1E3EF275EC810008D0DC6 /* Safari.swift in Sources */,
 				A006B5A12882FBA70091FAA1 /* DatabaseParser.swift in Sources */,
 				70A44405275A76990035F40E /* LSQuarantine.swift in Sources */,
@@ -562,6 +577,7 @@
 				5E494473293AC914007FFBDD /* URL.swift in Sources */,
 				A007834E28947D71008489EA /* Emond.swift in Sources */,
 				5E29FD752A2FB0EF008D528F /* ESLogs.swift in Sources */,
+				A31009A62B9B83E300068593 /* Node.swift in Sources */,
 				A076742F2755798F00ED7066 /* ArtifactsModule.swift in Sources */,
 				A0759135275985170006766F /* TCC.swift in Sources */,
 				A0E1E3F6275ED2E4008D0DC6 /* NetworkModule.swift in Sources */,
@@ -749,7 +765,7 @@
 				CODE_SIGN_STYLE = Manual;
 				DEAD_CODE_STRIPPING = YES;
 				DEVELOPMENT_TEAM = "";
-				"DEVELOPMENT_TEAM[sdk=macosx*]" = 6PV5YF2UES;
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = C793NB2B2B;
 				ENABLE_HARDENED_RUNTIME = YES;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -759,7 +775,7 @@
 				MACH_O_TYPE = mh_execute;
 				NEW_SETTING = "";
 				ONLY_ACTIVE_ARCH = YES;
-				PRODUCT_BUNDLE_IDENTIFIER = com.crashsecurity.aftermath;
+				PRODUCT_BUNDLE_IDENTIFIER = com.jamf.aftermath;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				SWIFT_INCLUDE_PATHS = "$(SRCROOT) $(SRCROOT)/libs/ProcLib $(SRCROOT)/libs/launchdXPC";
@@ -778,8 +794,8 @@
 				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES;
 				CODE_SIGN_STYLE = Manual;
 				DEAD_CODE_STRIPPING = YES;
-				DEVELOPMENT_TEAM = 6PV5YF2UES;
-				"DEVELOPMENT_TEAM[sdk=macosx*]" = 6PV5YF2UES;
+				DEVELOPMENT_TEAM = "";
+				"DEVELOPMENT_TEAM[sdk=macosx*]" = C793NB2B2B;
 				ENABLE_HARDENED_RUNTIME = YES;
 				LD_RUNPATH_SEARCH_PATHS = (
 					"$(inherited)",
@@ -789,7 +805,7 @@
 				MACH_O_TYPE = mh_execute;
 				NEW_SETTING = "";
 				ONLY_ACTIVE_ARCH = NO;
-				PRODUCT_BUNDLE_IDENTIFIER = com.crashsecurity.aftermath;
+				PRODUCT_BUNDLE_IDENTIFIER = com.jamf.aftermath;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				PROVISIONING_PROFILE_SPECIFIER = "";
 				SWIFT_INCLUDE_PATHS = "$(SRCROOT) $(SRCROOT)/libs/ProcLib $(SRCROOT)/libs/launchdXPC";
@@ -834,8 +850,8 @@
 			isa = XCRemoteSwiftPackageReference;
 			repositoryURL = "https://github.com/weichsel/ZIPFoundation";
 			requirement = {
-				kind = upToNextMajorVersion;
-				minimumVersion = 0.9.9;
+				kind = exactVersion;
+				version = 0.9.18;
 			};
 		};
 /* End XCRemoteSwiftPackageReference section */

aftermath.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved

@@ -1,14 +1,15 @@
 {
+  "originHash" : "d0d4edfdf2bf3cd05b3ba2dec0af1a9c271c93f944cbba8677cc647f74a6b323",
   "pins" : [
     {
       "identity" : "zipfoundation",
       "kind" : "remoteSourceControl",
       "location" : "https://github.com/weichsel/ZIPFoundation",
       "state" : {
-        "revision" : "43ec568034b3731101dbf7670765d671c30f54f3",
-        "version" : "0.9.16"
+        "revision" : "b979e8b52c7ae7f3f39fa0182e738e9e7257eb78",
+        "version" : "0.9.18"
       }
     }
   ],
-  "version" : 2
+  "version" : 3
 }