def analyze_new_files(self): """ analyze new plists that are on the host """ where_params = self.new_files.keys() where_statement = "name=%s" % " OR name=".join( ['?'] * len(where_params)) where_clause = [where_statement, where_params] self.pre_new_files = ORM.select("plist", None, where_clause) self.post_new_files = [] for fname, fname_hash in self.new_files.iteritems(): self.data = {} self.plist_name = fname self.plist_file = read_plist(fname) self.data["name"] = self.plist_name self.data["date"] = exec_date self.data["hash"] = fname_hash for i in self.check_keys_hash: self.check_key_executable(i) for i in self.check_keys: self.check_key(i) # Aggregate self.data self.post_new_files.append(self.data)
def check_firewall_processes(self): """ Checks the firewalled processes in the system firewall """ alf = read_plist('/Library/Preferences/com.apple.alf.plist') if alf: processes = get_plist_key(alf, "firewall") if processes: for key, value in processes.iteritems(): try: name = key state = str(value['state']) process = value['proc'] try: servicebundleid = value['servicebundleid'] except KeyError: servicebundleid = "KEY DNE" self.data.append({ "name": name, "date": exec_date, "state": state, "process": process, "servicebundleid": servicebundleid }) except KeyError: pass except Exception: pass
def analyze_new_files(self): """ analyze new plists that are on the host """ where_params = self.new_files.keys() where_statement = "name=%s" % (" OR name=".join( ['?'] * len(where_params)), ) where_clause = [where_statement, where_params] self.pre_new_files = ORM.select("plist", None, where_clause) self.post_new_files = [] for fname, fname_hash in self.new_files.iteritems(): self.data = {} self.plist_name = fname self.plist_file = read_plist(fname) self.data["name"] = self.plist_name self.data["date"] = exec_date self.data["hash"] = fname_hash for i in self.check_keys_hash: self.check_key_executable(i) for i in self.check_keys: self.check_key(i) # Aggregate self.data self.post_new_files.append(self.data)
def check_firewall_keys(self): """ Checks the top level keys of com.apple.alf.plist """ alf = read_plist('/Library/Preferences/com.apple.alf.plist') if alf: for i in Config.get("firewall_keys"): key = str(get_plist_key(alf, i)) if key: self.data.append({ "name": i, "date": exec_date, "value": key })
def check_firewall_explicitauths(self): """ Checks the systems firewall explicitauths """ alf = read_plist('/Library/Preferences/com.apple.alf.plist') if alf: explicitauths = get_plist_key(alf, "explicitauths") if explicitauths: for i in explicitauths: try: self.data.append({"name": i['id'], "date": exec_date}) except OSError: pass except Exception: pass
def check_firewall_applications(self): """ Checks firewalled application state in the systems firewall """ alf = read_plist('/Library/Preferences/com.apple.alf.plist') if alf: applications = get_plist_key(alf, "applications") if applications: for i in applications: try: name = i['bundleid'] state = str(i['state']) except KeyError: continue except Exception: continue self.data.append({ "name": name, "date": exec_date, "state": state })