MCPcopy
hub / github.com/jipegit/OSXAuditor / ParseQuarantines

Function ParseQuarantines

osxauditor.py:394–420  ·  view source on GitHub ↗

Parse users\' quarantines

()

Source from the content-addressed store, hash-verified

392 return None
393
394def ParseQuarantines():
395 ''' Parse users\' quarantines '''
396
397 PrintAndLog(u'Quarantines', 'SECTION')
398
399 for User in os.listdir(os.path.join(ROOT_PATH, 'Users/')):
400 if User[0] != '.':
401 PrintAndLog(User.decode('utf-8') +'\'s quarantine', 'SUBSECTION')
402 DbPathV2 = os.path.join(ROOT_PATH, 'Users', User, 'Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2') # OS X >= 10.7
403 DbPathV1 = os.path.join(ROOT_PATH, 'Users', User, 'Library/Preferences/com.apple.LaunchServices.QuarantineEvents') # OS X <= 10.6
404 if os.path.isfile(DbPathV2):
405 DbPath = DbPathV2
406 elif os.path.isfile(DbPathV1):
407 DbPath = DbPathV1
408 else:
409 PrintAndLog(u'No quarantined files for user ' + User.decode('utf-8') + u'\n', 'INFO')
410 continue
411 DbConnection = sqlite3.connect(DbPath)
412 DbCursor = DbConnection.cursor()
413 LSQuarantineEvents = DbCursor.execute('SELECT * from LSQuarantineEvent')
414 for LSQuarantineEvent in LSQuarantineEvents:
415 JointLSQuarantineEvent = u''
416 for Q in LSQuarantineEvent:
417 decoded = str(Q).decode('UTF-8', 'ignore')
418 JointLSQuarantineEvent += u';' + decoded
419 PrintAndLog(JointLSQuarantineEvent[1:] + u'\n'.decode('utf-8'), 'INFO')
420 DbConnection.close()
421
422def ParseStartupItems(StartupItemsPath):
423 ''' Parse the StartupItems plist and hash its program argument '''

Callers 1

MainFunction · 0.85

Calls 1

PrintAndLogFunction · 0.85

Tested by

no test coverage detected