-
-
Save arubdesu/a812cbc458efb0eb7f723b3b795a835f to your computer and use it in GitHub Desktop.
(Not in prod) method of reporting browser extensions back to the JAMF Casper suite, in lieu of https://github.com/arubdesu/EAs/blob/master/browseExtensions.py - installing https://github.com/osquery/osquery-python recommended (with pip as sudo so it can write to /Library)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| """Data file for extension whitelist lookup""" | |
| def main(): | |
| """Gimme some main""" | |
| whitedict = { | |
| 'safari': ['com.agilebits.onepassword4-safari', | |
| 'AdBlock.safariextz', | |
| 'AdBlock-2.safariextz', | |
| 'BugMeNot.safariextz', | |
| 'Clip to DEVONthink.safariextz', | |
| 'Clip to DEVONthink-2.safariextz', | |
| 'Evernote Web Clipper-2.safariextz', | |
| 'Evernote Web Clipper.safariextz', | |
| 'com.betteradvertising.ghostery', | |
| 'com.instapaper.extension', | |
| 'KasperskyURLAdvisor.safariextz', | |
| 'KasperskyVirtualKeyboard.safariextz', | |
| 'com.lukehagan.openinchrome', | |
| 'com.sobolev.stylish', | |
| 'TabLinks.safariextz',], | |
| 'firefox': ['loop@mozilla.org',# web sharing for firefox!? | |
| '{972ce4c6-7e08-4474-a285-3208198ce6fd}',# default theme | |
| 'onepassword4@agilebits.com', | |
| '{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi', | |
| 'Clip-to-DEVONthink@devon-technologies.com.xpi', | |
| 'firefox-hotfix@mozilla.org.xpi', | |
| 'jid1-YcMV6ngYmQRA2w@jetpack'],#unofficial pinterest... | |
| 'chrome': ["pkehgijcmpdhfbdbbnkijodmdjhbjlgp",#privacy badger | |
| "aomjjhallfgjeglblehebfpbcfeobpgk",# 1Password | |
| "lbfehkoinhhcknnbdgnnmjhiladcgbol",# Evernote 'Web' | |
| "pioclpoplcdbaefihamjohnefbikjilc",# Evernote Web Clipper | |
| "cfhdojbkjhnklbpkdaibdccddilifddb",# AdBlockPlus | |
| "gighmmpiobklfepjocnamgkkbiglidom",#adblockRegular... | |
| "iooicodkiihhpojmmeghjclgihfjdjhj",# Clearly | |
| "jlhmfgmfgeifomenelglieieghnjghma",# WebEx, | |
| "bfogiafebfohielmmehodmfbbebbbpei",# Keeper password mgr | |
| "gcgikpombjkodabhbdalkcdhmllafipp",# GoToMeetingProSomethingOrOther | |
| "lneaknkopdijkpnocmklfnjbeapigfbh",# Google Maps | |
| "mgndgikekgjfcpckkfioiadnlibdjbkf",# "Chrome", | |
| "dliochdbjfkdbacpmhlcpmleaejidimm",# chromecast beta | |
| "noondiphcddnnabmjcihcjfbhfklnnep",# Google phishing/password checker | |
| "lccekmodgklaepjeofjdjpbminllajkg",# Chrome Hotword for 'Ok, Google' | |
| "nmmhkkegccagdldgiimedpiccmgmieda",# "Google Wallet", | |
| "ahfgeienlihckogmohjhadlkjgocpleb",# "Google Store", | |
| "aapocclcgogkmnckokdopfmhonfmgoek",# "Google Slides" | |
| "boadgeojelhgndaghljhdicfkmllpafd",# "Google Cast" | |
| "felcaaldnbdncclmgdcncolpebgiejap",# "Google Sheets" | |
| "gfdkimpbcpahaombhbimeihdjnejgicl",# "Chrome FeedBack", | |
| "pjkljhegncpnkpknbcohdijeoejaedia",# "Gmail", | |
| "nkeimhogjdpnpccoofpliimaahmaaome",# "Google Hangouts", | |
| "nckgahadagoaajjgafhacjanaoiihapd",# " | |
| "coobgpohoikkiipiblmjeljniedjpjpf",# "Google Search", | |
| "neajdppkdcdipfabeoofebfddakdcjhd",# "Google Network Speech", | |
| "kmendfapggjehodndflmmgagdbamhnfd",# "Chrome Crypto Token Extension", | |
| "apdfllckaahabafndbhieahigkjlhalf",# "Google Drive", | |
| "lmjegmlicamnimmfhcmpkclmigmmcbeh",# Google Drive file open in native apps | |
| "dnhpdliibojhegemfjheidglijccjfmc",# "Google Hotword Helper", | |
| "bepbmhgboaologfdajaanbcjmnhjmhfn",# "Google Voice Search Hotword", | |
| "blpcfgokakmgnkcojhhkbfbldkacnbeo",# "Google YouTube", | |
| "aohghmighlieiainnegkcijnfilokake",# "Google Docs", | |
| "eemcgdkfndhakfknompkggombfjjjeno",# "Chrome Bookmark Manager", | |
| "gmlllbghnfkpflemihljekbapjopfjik",# ditto | |
| "mfehgcgbbipciphmccgaenjidiccnmng",# "Chrome Cloud Print", | |
| "ennkphjdgehloodpbhlhldgbnhmacadg",# "Chrome Settings", | |
| "pafkbggdmjlpgkdkcbjmhmfcdpncadgh",# "Google Now", | |
| "kcnhkahnjcbndmmehfkdnkjomaanaooo",# GoogleVoice | |
| "gpdjojdkbbmdfjfahjcgigfpmkopogic",# Pinterest... | |
| "mfffpogegjflfpflabcdkioaeobkgjik",# "GAIA Component Extension" | |
| #"gkojfkhlekighikafcpjkiklfbnlmeio", unless you like customers using free VPN services like 'hola internet' | |
| "aknpkdffaafgjchaibgeefbgmgeghloj",# misc junk, not reported diseased yet | |
| "ejjicmeblgpmajnghnpcppodonldlgfn", | |
| "knipolnnllmklapflnccelgolnpehhpl", | |
| "mcemheplgccbimaplmppfdofjghnpmmn", | |
| "aciahcmjmecflokailenpkdchphgkefd", | |
| "bfjgbcjfpbbfepcccpaffkjofcmglifg", | |
| "bhmicilclplefnflapjmnngmkkkkpfad", | |
| "hnkkehjnlfplmdnallbjjdnokolhblgb", | |
| "mcbkbpnkkkipelfledbfocopglifcfmi", | |
| "ajpgkpeckebdhofmmjfgcjjiiejpodla", | |
| "aofbadhekfmdddiihifojhjjpkaoojkn", | |
| "dhaphijmoldalicdpbnpgjeeheglbppo", | |
| "elicpjhcidhpjomhibiffojpinpmmpil", | |
| "hdgenjhkjihnmigcommchefpajjhdmba", | |
| "idknbmbdnapjicclomlijcgfpikmndhd", | |
| "ifhgjbjejfocglfphkdecifccicemfll", | |
| "ghbmnnjooekpmoecnnnilnnbdlolhkhi"] | |
| } | |
| return whitedict | |
| if __name__ == '__main__': | |
| main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| """Check osquery output against whitelisted browser extensions.""" | |
| import json | |
| import os | |
| import subprocess | |
| import sys | |
| #my utility import | |
| import browser_whitelist | |
| GOTIT = False | |
| try: | |
| import osquery | |
| GOTIT = 'module' | |
| except ImportError: | |
| if not os.path.exists('/usr/local/bin/osqueryi'): | |
| result = 'wha? no osquery? bro, do you even lift?' | |
| print "<result>%s</result>" % result | |
| sys.exit(0) | |
| def main(): | |
| """gimme some main""" | |
| whitedict = browser_whitelist.main() | |
| whitelist = whitedict.get('safari') + whitedict.get('chrome') + whitedict.get('firefox') | |
| chrome_sql = 'select repl.name, repl.author, repl.description, repl.identifier, repl.version, repl.path from users join repl using (uid)'.replace('repl', 'chrome_extensions') | |
| safari_sql = 'select repl.name, repl.author, repl.description, repl.identifier, repl.version, repl.path, repl.developer_id from users join repl using (uid)'.replace('repl', 'safari_extensions') | |
| firefox_sql = 'select repl.name, repl.creator, repl.description, repl.type, repl.location, repl.source_url, repl.identifier, repl.version, repl.path from users join repl using (uid)'.replace('repl', 'firefox_addons') | |
| if GOTIT == 'module': | |
| query_dict = {} | |
| query_dict['chrome'] = chrome_sql | |
| query_dict['safari'] = safari_sql | |
| query_dict['firefox'] = firefox_sql | |
| result_dict = run_osqueryd(query_dict) | |
| chrome_dictlist = result_dict.get('chrome') | |
| safari_dictlist = result_dict.get('safari') | |
| firefox_dictlist = result_dict.get('firefox') | |
| else: | |
| chrome_dictlist = run_osqueryi(chrome_sql) | |
| safari_dictlist = run_osqueryi(safari_sql) | |
| firefox_dictlist = run_osqueryi(firefox_sql) | |
| to_investigate = [] | |
| chromes = check_white(chrome_dictlist, whitelist) | |
| if chromes: | |
| to_investigate.append('\tCaught Chromens:\n' + chromes) | |
| safaris = check_white(safari_dictlist, whitelist) | |
| if safaris: | |
| to_investigate.append('\tCaught Safaris:\n' + safaris) | |
| firefoxes = check_white(firefox_dictlist, whitelist) | |
| if firefoxes: | |
| to_investigate.append('\tCaught Firefoxes:\n' + firefoxes) | |
| if to_investigate: | |
| result = "Non-whitelisted browser extentions found, investigate:\n" + "\n".join(*[to_investigate]) | |
| else: | |
| result = "No non-whitelisted browser extentions found." | |
| print "<result>%s</result>" % result | |
| def run_osqueryi(sql): | |
| """runs your sql w/ osqueryi, returns json output""" | |
| cmd = ['/usr/local/bin/osqueryi', '--json', sql] | |
| jsony_out = subprocess.check_output(cmd) | |
| try: | |
| jsony_dictlist = json.loads(jsony_out) | |
| except ValueError: | |
| print 'Error with json conversion when running query:\n%s' % sql | |
| sys.exit(1) | |
| return jsony_dictlist | |
| def run_osqueryd(sql_dict): | |
| """takes sql commands you'd like output from osquery for, returns...""" | |
| result_dict = {} | |
| instance = osquery.SpawnInstance() | |
| instance.open() | |
| for name, quer in sql_dict.items(): | |
| results = instance.client.query(quer) | |
| result_dict[name] = results.response | |
| return result_dict | |
| def check_white(ext_dictlist, whitelist): | |
| """does the list of dict splitting and checks id against whitelist""" | |
| to_dicts = {} | |
| for each in ext_dictlist: | |
| key = each.get('identifier') | |
| if key not in whitelist: | |
| del each['identifier'] | |
| to_dicts[key] = each.items() | |
| if len(to_dicts) >= 1: | |
| return str(to_dicts) | |
| else: | |
| return False | |
| if __name__ == '__main__': | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment