jamf · stuartjash · Apr 12, 2022 · Apr 1, 2022 · Apr 1, 2022 · Apr 6, 2022
diff --git a/aftermath.xcodeproj/project.pbxproj b/aftermath.xcodeproj/project.pbxproj
@@ -16,6 +16,9 @@
 		A076742C27555FC100ED7066 /* PersistenceModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A076742B27555FC100ED7066 /* PersistenceModule.swift */; };
 		A076742F2755798F00ED7066 /* ArtifactsModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A076742E2755798F00ED7066 /* ArtifactsModule.swift */; };
 		A0879957275AD2DC00E885BC /* SystemConfig.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0879956275AD2DC00E885BC /* SystemConfig.swift */; };
+		A0D6D54327F76C58002BB3C8 /* Cron.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0D6D54227F76C58002BB3C8 /* Cron.swift */; };
+		A0D6D54727FE147D002BB3C8 /* Overrides.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0D6D54627FE147D002BB3C8 /* Overrides.swift */; };
+		A0D6D54927FE52C1002BB3C8 /* SystemExtensions.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0D6D54827FE52C1002BB3C8 /* SystemExtensions.swift */; };
 		A0E1E3E4275EC3D2008D0DC6 /* Swap.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3E3275EC3D2008D0DC6 /* Swap.swift */; };
 		A0E1E3E6275EC433008D0DC6 /* MemoryModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3E5275EC433008D0DC6 /* MemoryModule.swift */; };
 		A0E1E3E9275EC736008D0DC6 /* BrowserModule.swift in Sources */ = {isa = PBXBuildFile; fileRef = A0E1E3E8275EC736008D0DC6 /* BrowserModule.swift */; };
@@ -57,6 +60,9 @@
 		A076742B27555FC100ED7066 /* PersistenceModule.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = PersistenceModule.swift; sourceTree = "<group>"; };
 		A076742E2755798F00ED7066 /* ArtifactsModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ArtifactsModule.swift; sourceTree = "<group>"; };
 		A0879956275AD2DC00E885BC /* SystemConfig.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = SystemConfig.swift; sourceTree = "<group>"; };
+		A0D6D54227F76C58002BB3C8 /* Cron.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Cron.swift; sourceTree = "<group>"; };
+		A0D6D54627FE147D002BB3C8 /* Overrides.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Overrides.swift; sourceTree = "<group>"; };
+		A0D6D54827FE52C1002BB3C8 /* SystemExtensions.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SystemExtensions.swift; sourceTree = "<group>"; };
 		A0E1E3E3275EC3D2008D0DC6 /* Swap.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = Swap.swift; sourceTree = "<group>"; };
 		A0E1E3E5275EC433008D0DC6 /* MemoryModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MemoryModule.swift; sourceTree = "<group>"; };
 		A0E1E3E8275EC736008D0DC6 /* BrowserModule.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = BrowserModule.swift; sourceTree = "<group>"; };
@@ -123,6 +129,9 @@
 				A076742B27555FC100ED7066 /* PersistenceModule.swift */,
 				A3745357275730870074B65C /* LaunchItems.swift */,
 				A3745359275735B40074B65C /* LoginHooks.swift */,
+				A0D6D54227F76C58002BB3C8 /* Cron.swift */,
+				A0D6D54627FE147D002BB3C8 /* Overrides.swift */,
+				A0D6D54827FE52C1002BB3C8 /* SystemExtensions.swift */,
 			);
 			path = persistence;
 			sourceTree = "<group>";
@@ -294,7 +303,10 @@
 				A0759135275985170006766F /* TCC.swift in Sources */,
 				A0E1E3F6275ED2E4008D0DC6 /* NetworkModule.swift in Sources */,
 				A076742C27555FC100ED7066 /* PersistenceModule.swift in Sources */,
+				A0D6D54727FE147D002BB3C8 /* Overrides.swift in Sources */,
 				A0E1E3E4275EC3D2008D0DC6 /* Swap.swift in Sources */,
+				A0D6D54927FE52C1002BB3C8 /* SystemExtensions.swift in Sources */,
+				A0D6D54327F76C58002BB3C8 /* Cron.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};

diff --git a/aftermath/Module.swift b/aftermath/Module.swift
@@ -6,6 +6,7 @@
 //
 
 import Foundation
+import CoreData
 
 struct User {
     let username: String
@@ -45,13 +46,39 @@ class AftermathModule {
                 if !filename.hasPrefix("_") {
                     let username = file.deletingPathExtension().lastPathComponent
                     if let homedir = NSHomeDirectoryForUser(username) {
-                        let user = User(username:username, homedir: homedir)
-                        users.append(user)
+                            let user = User(username:username, homedir: homedir)
+                            users.append(user)
+                        }
                     }
                 }
             }
-        }
+        return users
+    }
+
+    func getBasicUsersOnSystem() -> [User] {
+        var users = [User]()
 
+        // Check Permissions
+        if (activeUser != "root") {
+            self.log("Aftermath being run in non-root mode...")
+            if let homedir = NSHomeDirectoryForUser(activeUser) {
+                let user = User(username:activeUser, homedir: homedir)
+                users.append(user)
+            }
+        } else {
+            let userPlists = filemanager.filesInDir(path: "/var/db/dslocal/nodes/Default/users/")
+            for file in userPlists {
+                let filename = file.lastPathComponent
+                if !filename.hasPrefix("_") {
+                    let username = file.deletingPathExtension().lastPathComponent
+                    if let homedir = NSHomeDirectoryForUser(username) {
+                            let user = User(username:username, homedir: homedir)
+                            if SystemUsers.allCases.contains(where: {$0.rawValue == user.username}) { continue }
+                            users.append(user)
+                        }
+                    }
+                }
+            }
         return users
     }
 
@@ -153,4 +180,9 @@ class AftermathModule {
             addTextToFile(atUrl: CaseFiles.logFile, text: entry)
         }
     }
+
+    enum SystemUsers: String, CaseIterable {
+        case nobody = "nobody"
+        case daemon = "daemon"
+    }
 }
diff --git a/artifacts/ShellHistoryAndProfiles.swift b/artifacts/ShellHistoryAndProfiles.swift
@@ -26,24 +26,29 @@ class BashProfiles: ArtifactsModule {
         let globalFiles = ["/etc/profile", "/etc/zshenv", "/etc/zprofile", "/etc/zshrc", "/etc/zlogin", "/etc/zlogout"]
 
         // for each user, copy the shell historys and profiles
-        if let users = self.users {
-            for user in users {
-                for filename in userFiles {
-                    let path = URL(fileURLWithPath: "\(user.homedir)/\(filename)")
+        for user in getUsersOnSystem() {
+            for filename in userFiles {
+                let path = URL(fileURLWithPath: "\(user.homedir)/\(filename)")
+                if (filemanager.fileExists(atPath: path.path)) {
                     let newFileName = "\(user.username)_\(filename)"
                     self.copyFileToCase(fileToCopy: path, toLocation: self.profilesDir, newFileName: newFileName)
-                }
+                } else { continue }
+
             }
         }
+
 
         // Copy all the global files
         for file in globalFiles {
             let fileUrl = URL(fileURLWithPath: file)
-            let filename = fileUrl.lastPathComponent
-            let newFileName = "etc_\(filename)"
-            self.copyFileToCase(fileToCopy: fileUrl, toLocation: self.profilesDir, newFileName: newFileName)
+            if (filemanager.fileExists(atPath: fileUrl.path)) {
+                let filename = fileUrl.lastPathComponent
+                let newFileName = "etc_\(filename)"
+                self.copyFileToCase(fileToCopy: fileUrl, toLocation: self.profilesDir, newFileName: newFileName)
+            } else { continue }
         }
 
+
         self.log("Finished collecting shell history and profile information...")
     }
 }
diff --git a/artifacts/TCC.swift b/artifacts/TCC.swift
@@ -16,65 +16,78 @@ class TCC: ArtifactsModule {
     }
 
     func getTCC() {
-        let fileURL = try! filemanager.url(for: .applicationSupportDirectory, in: .userDomainMask, appropriateFor: nil, create: false).appendingPathComponent("com.apple.TCC/TCC.db")
-        self.copyFileToCase(fileToCopy: fileURL, toLocation: tccDir)
 
         let capturedTCC = self.createNewCaseFile(dirUrl: self.moduleDirRoot, filename: "tccItems.txt")
-        var db : OpaquePointer?
 
-        if sqlite3_open(fileURL.path, &db) == SQLITE_OK {
-            var queryStatement: OpaquePointer? = nil
-            let queryString = "select client, auth_value, auth_reason, service from access"
+        for user in getBasicUsersOnSystem() {
+
+            var fileURL: URL
+            if filemanager.fileExists(atPath: "\(user.homedir)/Library/Application Support/com.apple.TCC/TCC.db") {
+                fileURL = URL(fileURLWithPath: "\(user.homedir)/Library/Application Support/com.apple.TCC/TCC.db")
+            } else { continue }
+
+
+            self.copyFileToCase(fileToCopy: fileURL, toLocation: tccDir, newFileName: "tcc_\(user.username)")
 
-            if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK {
-                var client: String = ""
-                var authValue: String = ""
-                var authReason: String = ""
-                var service: String = ""
+
+            var db : OpaquePointer?
+
+            if sqlite3_open(fileURL.path, &db) == SQLITE_OK {
+                var queryStatement: OpaquePointer? = nil
+                let queryString = "select client, auth_value, auth_reason, service from access"
 
-                while sqlite3_step(queryStatement) == SQLITE_ROW {
-                    let col1 = sqlite3_column_text(queryStatement, 0)
-                    if col1 != nil{
-                        client = String(cString: col1!)
-                    }
+                if sqlite3_prepare_v2(db, queryString, -1, &queryStatement, nil) == SQLITE_OK {
+                    var client: String = ""
+                    var authValue: String = ""
+                    var authReason: String = ""
+                    var service: String = ""
 
-                    let col2 = sqlite3_column_text(queryStatement, 1)
-                    if col2 != nil {
-                        authValue = String(cString: col2!)
-                        for item in TCCAuthValue.allCases {
-                            if authValue == String(item.rawValue) {
-                                authValue = String(describing: item)
+                    while sqlite3_step(queryStatement) == SQLITE_ROW {
+                        let col1 = sqlite3_column_text(queryStatement, 0)
+                        if col1 != nil{
+                            client = String(cString: col1!)
+                        }
+
+                        let col2 = sqlite3_column_text(queryStatement, 1)
+                        if col2 != nil {
+                            authValue = String(cString: col2!)
+                            for item in TCCAuthValue.allCases {
+                                if authValue == String(item.rawValue) {
+                                    authValue = String(describing: item)
+                                }
                             }
                         }
-                    }
-
-                    let col3 = sqlite3_column_text(queryStatement, 2)
-                    if col3 != nil {
-                        authReason = String(cString: col3!)
-                        for item in TCCAuthReason.allCases {
-                            if authReason == String(item.rawValue) {
-                                authReason = String(describing: item)
+                        
+                        let col3 = sqlite3_column_text(queryStatement, 2)
+                        if col3 != nil {
+                            authReason = String(cString: col3!)
+                            for item in TCCAuthReason.allCases {
+                                if authReason == String(item.rawValue) {
+                                    authReason = String(describing: item)
+                                }
                             }
                         }
-                    }
-
-                    let col4 = sqlite3_column_text(queryStatement, 3)
-                    if col4 != nil {
-                        service = String(cString: col4!)
-                        for item in TCCService.allCases {
-                            if service == String(item.rawValue) {
-                                service = String(describing: item)
+                        
+                        let col4 = sqlite3_column_text(queryStatement, 3)
+                        if col4 != nil {
+                            service = String(cString: col4!)
+                            for item in TCCService.allCases {
+                                if service == String(item.rawValue) {
+                                    service = String(describing: item)
+                                }
                             }
                         }
+
+                        self.addTextToFile(atUrl: capturedTCC, text: "TCC Data for \(user.username)")
+                        self.addTextToFile(atUrl: capturedTCC, text: "Name: \(client)\nRequested Service: \(service)\nAuth Value: \(authValue)\nAuth Reason: \(authReason)\n")
                     }
-
-                    self.addTextToFile(atUrl: capturedTCC, text: "Name: \(client)\nRequested Service: \(service)\nAuth Value: \(authValue)\nAuth Reason: \(authReason)\n")
                 }
+                self.log("Finished capturing TCC data for \(user.username)")
+            } else {
+                self.log("An error occurred when attempting to query the TCC database for user \(user.username)...")
             }
-            self.log("Finished capturing TCC data")
-        } else {
-            self.log("An error occurred when attempting to query the TCC database...")
         }
+        self.log("Finished querying TCC")
     }
 
     override func run() {