OSXAuditor is pretty dope and we used it a bunch at Yelp. Over time, we created what we think is an inspired next version - <a href="https://github.com/Yelp/osxcollector" rel="nofollow">https://github.com/Yelp/osxcollector</a>
This looks like an interesting project. But, there's one bit of information, which is missing from the description and this discussion, that would help a lot with my understanding.<p>Is this a tool for a user who wants to learn more about their own machine, or a non-user who wants to know how a given machine has been used?<p>More information about the use cases of such a tool would be most helpful.
I'd say this isn't quite ready for prime time. The errors I received were annoying and you're not going to get an end user or most IT admins to parse the python just to find the errors.<p>I've only had 3 major errors but they were significant:
1) I'm on Yosemite so GetAuditedSystemVersion() looks for a PatchVersion variable that simply isn't there. The header reads 10.10 not 10.10.patch as expected.
2) The Safari parsing snafu listed in my previous comment. Opening Safari isn't enough, you have to use the browser quite a bit. The same could likely be said for all browser tests and it would be a good idea to outline precisely what this needs to be. Hint: A new system or install of Yosemite for instance will produce the errors I saw.
3) There's a parsing bug in ParseMailAppAccount() and I just commented out the call completely.<p>Any number of these could just be Yosemite related but I don't think so. All of the bugs I ran into are variations on index out of bounds due to some hardcoded assumption that mostly works, except in this instance apparently. I'm not the only one with these nagging bugs based on the issues list but mine do seem very specific to Yosemite or how I do(n't) use my system.
Cool idea.<p>But using raw md5 hashes to verify against a blacklist is kind of useless. Especially now.<p>You should be using smarter file signatures:<p><a href="http://hooked-on-mnemonics.blogspot.com/2011/01/intro-to-creating-anti-virus-signatures.html" rel="nofollow">http://hooked-on-mnemonics.blogspot.com/2011/01/intro-to-cre...</a>
Great idea. Love to run it, but... crash and burn:<p>~/Library/Safari/LastSession.plist
Traceback (most recent call last):
File "osxauditor.py", line 1702, in <module>
Main()
File "osxauditor.py", line 1663, in Main
ParseBrowsers()
File "osxauditor.py", line 808, in ParseBrowsers
ParseSafari()
File "osxauditor.py", line 745, in ParseSafari
ParseSafariProfile(User, UserSafariProfilePath)
File "osxauditor.py", line 717, in ParseSafariProfile
LastSession = LastSessionPlist["SessionWindows"][0]["TabStates"][0]
File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/PyObjC/objc/_convenience.py", line 451, in __getitem__objectAtIndex_
return container_unwrap(self.objectAtIndex_(idx), RuntimeError)
IndexError: NSRangeException - -[__NSCFArray objectAtIndex:]: index (0) beyond bounds (0)
Very interested to try this out on my own machines to see the results. I know somebody who does computer security at a University and the staff there has been frustrated with the lack of available forensics tools for OSX, so this may nicely fill an empty niche for some industry people as well.
I'm getting an error after running it:<p>[INFO] Users' LoginItems
[INFO] <i></i><i></i>'s LoginItems
[INFO] /Users/<i></i><i></i>/Library/Preferences/com.apple.loginitems.plist
[INFO] Cannot parse /Users/<i></i><i></i>/Library/Preferences/com.apple.loginitems.plist (Binary or JSON plist may FAIL)<p>Traceback (most recent call last):
File "osxauditor.py", line 1702, in <module>
Main()
File "osxauditor.py", line 1651, in Main
ParseStartup()
File "osxauditor.py", line 550, in ParseStartup
if "SessionItems" in LoginItemsPlist:
TypeError: argument of type 'bool' is not iterable