Merge pull request #29 from jamf/stuartjash_v003

v003 update
jamf · Sep 2, 2022 · fdcc7b1 · fdcc7b1
2 parents b5ce7c0 + 3be2aff
commit fdcc7b1
Show file tree

Hide file tree

Showing 10 changed files with 31 additions and 49 deletions.
diff --git a/aftermath/CaseFiles.swift b/aftermath/CaseFiles.swift
@@ -34,43 +34,27 @@ struct CaseFiles {
         }
     }
 
-    static func MoveCaseDir(outputDir: String) {
-        
-        print("Moving the collection directory from its temporary location. This may take some time. Please wait...")
-        
-        var endURL: URL
+
+    static func MoveTemporaryCaseDir(outputDir: String, isAnalysis: Bool) {
+        print("Moving the aftermath direcotry from its tempoarary location. This may take some time. Please wait...")
+
+        var localCaseDir: URL
 
-        if outputDir == "default" {
-
-            endURL = URL(fileURLWithPath: "/tmp/\(caseDir.lastPathComponent)")
+        if isAnalysis {
+            localCaseDir = analysisCaseDir
         } else {
-            endURL = URL(fileURLWithPath: "\(outputDir)/\(caseDir.lastPathComponent)")
-
+            localCaseDir = caseDir
         }
-
-        let zippedURL = endURL.appendingPathExtension("zip")
-
         do {
-            try fm.zipItem(at: caseDir, to: endURL, shouldKeepParent: true, compressionMethod: .deflate)
+            let endURL = URL(fileURLWithPath: "\(outputDir)/\(localCaseDir.lastPathComponent)")
+            let zippedURL = endURL.appendingPathExtension("zip")
+
+            try fm.zipItem(at: localCaseDir, to: endURL, shouldKeepParent: true, compressionMethod: .deflate)
             try fm.moveItem(at: endURL, to: zippedURL)
             print("Aftermath archive moved to \(zippedURL.path)")
-        } catch {
-            print("Unable to create archive. Error: \(error)")
-        }
-    }
 
-    static func MoveAnalysisCaseDir() {
-        let endURL = URL(fileURLWithPath: "/tmp/\(analysisCaseDir.lastPathComponent)")
-        let zippedURL = endURL.appendingPathExtension("zip")
-
-        print("Moving the analysis directory from its temporary location. This may take some time. Please wait...")
-
-        do {
-            try fm.zipItem(at: analysisCaseDir, to: endURL, shouldKeepParent: true, compressionMethod: .deflate)
-            try fm.moveItem(at: endURL, to: zippedURL)
-            print("Aftermath analysis archive moved to \(zippedURL.path)")
         } catch {
-            print(error)
+            print("Unable to create archive. Error: \(error)")
         }
     }
 }
diff --git a/aftermath/Command.swift b/aftermath/Command.swift
@@ -93,9 +93,14 @@ class Command {
              analysisModule.run()
 
              mainModule.log("Finished analysis module")
+
+             guard isDirectoryThatExists(path: Self.outputDir) else {
+                 mainModule.log("Output directory is not a valid directory that exists")
+                 return
+             }
 
-             // Move analysis directory to tmp
-             CaseFiles.MoveAnalysisCaseDir()
+             // Move analysis directory to output direcotry
+             CaseFiles.MoveTemporaryCaseDir(outputDir: self.outputDir, isAnalysis: true)
 
              // End Aftermath
              mainModule.log("Aftermath Finished")
@@ -162,15 +167,16 @@ class Command {
                  return
              }
 
-             // Copy from cache to /tmp
-             CaseFiles.MoveCaseDir(outputDir: Self.outputDir)
+             // Copy from cache to output
+             CaseFiles.MoveTemporaryCaseDir(outputDir: self.outputDir, isAnalysis: false)
 
              // End Aftermath
              mainModule.log("Aftermath Finished")
          }
      }
 
      static func cleanup() {
+         // remove any aftermath directories from tmp and /var/folders/zz
          let potentialPaths = ["/tmp", "/var/folders/zz"]
          for p in potentialPaths {
              let enumerator = FileManager.default.enumerator(atPath: p)

diff --git a/filesystem/FileSystemModule.swift b/filesystem/FileSystemModule.swift
@@ -37,8 +37,7 @@ class FileSystemModule: AftermathModule, AMProto {
         for user in getUsersOnSystem() { self.addTextToFile(atUrl: sysUsers, text: "\nUsers\n\(user.username)\n\(user.homedir)\n") }
 
         // walk file system
-        let fileWalker = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "file_walker.txt")
-        let walker = FileWalker(writeFile: fileWalker)
+        let walker = FileWalker()
         walker.run()
     }
 }
diff --git a/filesystem/FileWalker.swift b/filesystem/FileWalker.swift
@@ -9,21 +9,14 @@ import Foundation
 
 class FileWalker: FileSystemModule {
 
-    let writeFile: URL
-
-
-    init(writeFile: URL) {
-        self.writeFile = writeFile
-    }
-
     func runScanner(directories: [String]) {
 
 
         self.log("Scanning requested directories...")
 
         for p in directories {
 
-            self.log("Querying directory \(p)")
+            self.log("Collecting metadata from file in \(p)")
             let directory = filemanager.filesInDirRecursive(path: p)
             for file in directory {
                 if file.path.contains("homebrew") { continue }

diff --git a/persistence/Cron.swift b/persistence/Cron.swift
@@ -21,7 +21,7 @@ class Cron: PersistenceModule {
             // copy the files to the persistence directory
             do {
                 self.copyFileToCase(fileToCopy: url, toLocation: rawLoc)
-                self.addTextToFile(atUrl: captured, text: "/n ----- \(url) -----/n")
+                self.addTextToFile(atUrl: captured, text: "/n ----- \(url.path) -----/n")
                 let contents = try String(contentsOf: url)
                 self.addTextToFile(atUrl: captured, text: contents)
             } catch {

diff --git a/persistence/LaunchItems.swift b/persistence/LaunchItems.swift
@@ -23,7 +23,7 @@ class LaunchItems: PersistenceModule {
             self.copyFileToCase(fileToCopy: url, toLocation: self.saveToRawDir)
 
             // write the plists to one file
-            self.addTextToFile(atUrl: capturedLaunchFile, text: "\n----- \(url) -----\n")
+            self.addTextToFile(atUrl: capturedLaunchFile, text: "\n----- \(url.path) -----\n")
             self.addTextToFile(atUrl: capturedLaunchFile, text: plistDict.description)
         }
     }

diff --git a/persistence/Overrides.swift b/persistence/Overrides.swift
@@ -20,7 +20,7 @@ class Overrides: PersistenceModule {
             let plistDict = Aftermath.getPlistAsDict(atUrl: url)
 
             self.copyFileToCase(fileToCopy: url, toLocation: self.saveToRawDir)
-            self.addTextToFile(atUrl: capturedFile, text: "\n----- \(url) -----\n")
+            self.addTextToFile(atUrl: capturedFile, text: "\n----- \(url.path) -----\n")
             self.addTextToFile(atUrl: capturedFile, text: plistDict.description)
         }
     }

diff --git a/persistence/Periodic.swift b/persistence/Periodic.swift
@@ -21,7 +21,7 @@ class Periodic: PersistenceModule {
             self.copyFileToCase(fileToCopy: url, toLocation: directory)
 
             do {
-                self.addTextToFile(atUrl: capturedScriptsFile, text: "/n ----- \(url) -----/n")
+                self.addTextToFile(atUrl: capturedScriptsFile, text: "/n ----- \(url.path) -----/n")
                 let contents = try String(contentsOf: url)
                 self.addTextToFile(atUrl: capturedScriptsFile, text: contents)
             } catch {

diff --git a/persistence/SystemExtensions.swift b/persistence/SystemExtensions.swift
@@ -17,7 +17,7 @@ class SystemExtensions: PersistenceModule {
 
     func captureSysExtensions(urlLocations: [URL], rawLoc: URL) {
         let capturedSystemExtensions = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "systemExtensions.txt")
-        self.addTextToFile(atUrl: capturedSystemExtensions, text: "System Extension URLs\n-----\n\n")
+        self.addTextToFile(atUrl: capturedSystemExtensions, text: "System Extension URLs\n\n")
         for url in urlLocations {
             self.addTextToFile(atUrl: capturedSystemExtensions, text: "\(url.path)\n")
         }

diff --git a/unifiedlogs/UnifiedLogModule.swift b/unifiedlogs/UnifiedLogModule.swift
@@ -24,7 +24,7 @@ class UnifiedLogModule: AftermathModule, AMProto {
             "failed_sudo": "process == \"sudo\" and eventMessage CONTAINS \"TTY\" AND eventMessage CONTAINS \"3 incorrect password attempts\"",
             "manual_configuration_profile_install": "subsystem == \"com.apple.ManagedClient\" AND process == \"mdmclient\" AND category == \"MDMDaemon\" and eventMessage CONTAINS \"Installed configuration profile:\" AND eventMessage CONTAINS \"Source: Manual\"",
             "screensharing": "(process == \"screensharingd\" || process == \"ScreensharingAgent\")",
-            "xprotect_remediator": "subsystem == \"com.apple.XProtectFramework.PluginAPI\""
+            "xprotect_remediator": "subsystem == \"com.apple.XProtectFramework.PluginAPI\"  && category == \"XPEvent.structured\""
         ]
     }