crowdstrike / automactc Goto Github PK

Is there a guide that outlines making contributions to automactc? I'd be happy to open a pull request, but I did not see anything to onboard new contributors.

Hello,
We are attempting to use automactc through crowdstrike remotely and it works really well.
However we are running into a problem when automactc is attempting to parse the Chrome databases if the user has Chrome opened.
For the currently logged user we run into the following errors

functions[78819] - DEBUG - error accessing database /Users/currentlyloggeduser/Library/Application Support/Google/Chrome/Default/History: database is locked
chrome[78819] - DEBUG - Visit History required table 'visits' not found
functions[78819] - DEBUG - error accessing database /Users/currentlyloggeduser/Library/Application Support/Google/Chrome/Default/History: database is locked
chrome[78819] - DEBUG - Download History required table 'downloads' not found.

I assume it is because it is attempting to access those files directly for parsing. Would copying the history file temporarily, parsing the copied file and removing it after help fix that issue or there is another way?

Thanks,

automactc : ERROR mod_firefox_v102 failed: ['Traceback (most recent call last):\n File "automactc.py", line 351, in modExec\n import_module(modImport)\n File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/importlib/init.py", line 37, in import_module\n import(name)\n File "/Users/PATH_TO/automactc/modules/mod_firefox_v102.py", line 241, in \n module(firefox_location)\n File "/Users/PATH_TO/automactc/modules/mod_firefox_v102.py", line 215, in module\n get_firefox_version(c)\n File "/Users/PATH_TO/automactc/modules/mod_firefox_v102.py", line 56, in get_firefox_version\n ver = config.get('Compatibility','lastversion')\n File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ConfigParser.py", line 607, in get\n raise NoSectionError(section)\nNoSectionError: No section: 'Compatibility'\n']

nitpick:
If this is meant to be deployed to remote endpoints, it would be nice to have 0 external dependencies or at least have a list of possible dependencies outside of the base 2.7 python libs.

automactc:
ERROR
mod_chrome_v102 failed:
['Traceback (most recent call last):\n File "../automactc.py", line 351, in modExec\n import_module(modImport)\n File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/importlib/init.py", line 37, in import_module\n import(name)\n File "/Users/dclendening/Desktop/automactc-master/modules/mod_chrome_v102.py", line 298, in \n module(chrome_location)\n File "/Users/dclendening/Desktop/automactc-master/modules/mod_chrome_v102.py", line 282, in module\n pull_visit_history(history_db, user, profile, urls_output, urls_headers)\n File "/Users/dclendening/Desktop/automactc-master/modules/mod_chrome_v102.py", line 114, in pull_visit_history\n u_cnames = get_column_headers(history_db, 'urls')\n File "/Users/dclendening/Desktop/automactc-master/modules/mod_chrome_v102.py", line 53, in get_column_headers\n col_headers = sqlite3.connect(db).cursor().execute('SELECT * from {0}'.format(column))\nOperationalError: no such table: urls\n']

macOS High Sierra migrated Login Items (some of which are exposed in the Users & Groups preferences UI) in a new location/format as described in the Objective-See blog:

2018-07-23 https://objective-see.org/blog/blog_0x31.html

automactc supports the older file (com.apple.loginitems.plist), but not this new jazz.

The location of this data is ~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm.

The file is still a binary plist, although it has also undergone a change in that data is stored in Apple's "Bookmark" format. It seems that bookmark.py may implement a parser for this. Alternatively, this project also implements a parser for the file.

Hi,

I encountered some issues with automactc when dealing with Unicode data in browser history. For instance in runtime logs:

2021-05-00T00:00:00+0000 - browser_safari_history[46558] - DEBUG - Could not write line [SKIPPED] | ['Traceback (most recent call last):\n  File "automactc.py", line 300, in write_entry\n    writer.writerow(data)\nUnicodeEncodeError: \'ascii\' codec can\'t encode character u\'\\u0142\' in position 2: ordinal not in range(128)\n']

The problem seems to happens with browser_safari_history, browser_chrome_downloads, browser_chrome_history when there is a unicode character in a page title, or in a filename. I am not familiar with automactc code base, but if plugins can return data with unicode characters in it, it make sense that the csv writer would fail here. There is an attempt to fix that L293 to L299 that was commented out.

Background

I don't believe the all of the modules actually require root (sudo), yet the script will exist immediately if not being executed as root.

Requested Changes

• Support running modules that do not require root privileges.
• Log a warning that foo, bar, etc modules will be skipped when executed as non-root user.

Noticed couple of errors -

automactc : ERROR mod_syslog_v100 failed: ['Traceback (most recent call last):\n File "automactc.py", line 299, in modExec\n import_module(modImport)\n File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/importlib/init.py", line 37, in import_module\n import(name)\n File "/Users/user/automactc/modules/mod_syslog_v100.py", line 119, in \n module()\n File "/Users/user/automactc/modules/mod_syslog_v100.py", line 112, in module\n syslog_parse(c_syslog, go_syslog, headers, output)\n File "/Users/user/automactc/modules/mod_syslog_v100.py", line 86, in syslog_parse\n record['timestamp'] = str(m.group('month') + " " + m.group('day') + " " + m.group('time'))\nAttributeError: 'NoneType' object has no attribute 'group'\n']

safari : ERROR Module fatal error: necessary table doesn't exist in database.

Sorry, but what does the following message mean ? Thanks!
/Users/user/.ssh/authorized_keys is not a public key file.