added xprotect remediator to unified log and parser

jamf · Aug 30, 2022 · aebdf8e · aebdf8e
1 parent 356fa8a
commit aebdf8e
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 9 deletions.
diff --git a/aftermath.xcodeproj/project.pbxproj b/aftermath.xcodeproj/project.pbxproj
@@ -461,7 +461,7 @@
 				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
 				CLANG_WARN_UNREACHABLE_CODE = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
-				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO;
+				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES;
 				COPY_PHASE_STRIP = NO;
 				DEBUG_INFORMATION_FORMAT = dwarf;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -524,7 +524,7 @@
 				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
 				CLANG_WARN_UNREACHABLE_CODE = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
-				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO;
+				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES;
 				COPY_PHASE_STRIP = NO;
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -553,7 +553,7 @@
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_IDENTITY = "Developer ID Application";
-				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO;
+				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES;
 				CODE_SIGN_STYLE = Manual;
 				DEVELOPMENT_TEAM = 6PV5YF2UES;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -579,7 +579,7 @@
 				ARCHS = "$(ARCHS_STANDARD)";
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_IDENTITY = "Developer ID Application";
-				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO;
+				CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES;
 				CODE_SIGN_STYLE = Manual;
 				DEVELOPMENT_TEAM = 6PV5YF2UES;
 				ENABLE_HARDENED_RUNTIME = YES;

diff --git a/analysis/LogParser.swift b/analysis/LogParser.swift
@@ -32,7 +32,7 @@ class LogParser: AftermathModule {
 
                 guard let date = splitLine[safe: 0] else { continue }
                 guard let time = splitLine[safe: 1] else { continue }
-                let unformattedDate = date + "T" + time // "ex: 2022-03-1516:22:55-07"
+                let unformattedDate = date + "T" + time // ex: 2022-03-15T16:22:55-07
                 let dateFormatter = DateFormatter()
                 dateFormatter.locale = Locale(identifier: "en_US")
                 dateFormatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ssZ"
@@ -108,7 +108,47 @@ class LogParser: AftermathModule {
                 self.addTextToFile(atUrl: storylineFile, text: text)
             }
         } catch {
-            print("Unable to parse contentes")
+            print("Unable to parse contents")
+        }
+    }
+
+    func parseXProtectRemediatorLog() {
+
+        let xprotectremLog = "\(collectionDir)/UnifiedLog/xprotect_remediator.txt"
+
+        do {
+            let contents = try String(contentsOf: URL(fileURLWithPath: xprotectremLog))
+            let remediatorLogContents = contents.components(separatedBy: "\n")
+
+            for ind in 1...remediatorLogContents.count - 1 {
+                let splitLine = remediatorLogContents[ind].components(separatedBy: " ")
+
+                guard let date = splitLine[safe: 0] else { continue }
+                guard let time = splitLine[safe: 1] else { continue }
+                let unformattedDate = date + "T" + time // ex: 2022-08-30T06:51:47.381439-0700
+                let dateFormatter = DateFormatter()
+                dateFormatter.locale = Locale(identifier: "en_US")
+                dateFormatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ss.SSSSSSZ"
+                dateFormatter.timeZone = TimeZone(secondsFromGMT: 0)
+
+                var info = ""
+
+                for i in 0...splitLine.count - 1 {
+                    if i == 0 || i == 1 { continue }
+                    info = info.appending(" " + splitLine[i])
+                }
+
+                sanatizeInfo(&info)
+
+                guard let dateZome = dateFormatter.date(from: unformattedDate) else { continue }
+                dateFormatter.dateFormat = "yyyy-MM-dd'T'HH:mm:ss"
+                let formattedDate = dateFormatter.string(from: dateZome)
+                let text = "\(formattedDate), XPROTECT_REMEDIATOR, \(info)"
+                self.addTextToFile(atUrl: logsFile, text: text)
+                self.addTextToFile(atUrl: self.storylineFile, text: text)
+            }
+        } catch {
+            print("Unable to parse contents")
         }
     }
 
@@ -118,5 +158,8 @@ class LogParser: AftermathModule {
 
         self.log("Parsing system log...")
         parseSysLog()
+
+        self.log("Parsing XProtect Remediator log...")
+        parseXProtectRemediatorLog()
     }
 }
diff --git a/analysis/Storyline.swift b/analysis/Storyline.swift
@@ -117,10 +117,9 @@ class Storyline: AftermathModule {
 
     func sortStoryline() {
 
-        self.log("Creating the storyline...")
+        self.log("Creating the storyline...Please wait...")
 
         let sortedStoryline = self.createNewCaseFile(dirUrl: CaseFiles.analysisCaseDir, filename: "storyline.csv")
-
         do {
             let csvFile = try EnumeratedCSV(url: self.storylineFile)
             let sortedArr = try Aftermath.sortCSV(unsortedArr: csvFile.rows)

diff --git a/unifiedlogs/UnifiedLogModule.swift b/unifiedlogs/UnifiedLogModule.swift
@@ -23,7 +23,8 @@ class UnifiedLogModule: AftermathModule, AMProto {
             "ssh": "process == \"sshd\"",
             "failed_sudo": "process == \"sudo\" and eventMessage CONTAINS \"TTY\" AND eventMessage CONTAINS \"3 incorrect password attempts\"",
             "manual_configuration_profile_install": "subsystem == \"com.apple.ManagedClient\" AND process == \"mdmclient\" AND category == \"MDMDaemon\" and eventMessage CONTAINS \"Installed configuration profile:\" AND eventMessage CONTAINS \"Source: Manual\"",
-            "screensharing": "(process == \"screensharingd\" || process == \"ScreensharingAgent\")"
+            "screensharing": "(process == \"screensharingd\" || process == \"ScreensharingAgent\")",
+            "xprotect_remediator": "subsystem == \"com.apple.XProtectFramework.PluginAPI\""
         ]
     }