MacOS.System.Users

This artifact collects information about the local users on the system. The information is stored in plist files.


name: MacOS.System.Users
description: |
  This artifact collects information about the local users on the
  system. The information is stored in plist files.

parameters:
  - name: UserPlistGlob
    default: /private/var/db/dslocal/nodes/Default/users/*.plist
  - name: OnlyShowRealUsers
    type: bool
    default: Y

sources:
  - query: |
      LET user_plist = SELECT OSPath FROM glob(globs=UserPlistGlob)
      LET UserDetails(OSPath) =
              SELECT get(member="name.0", default="") AS Name,
                     get(member="realname.0", default="") AS RealName,
                     get(member="shell.0", default="") AS UserShell,
                     get(member="home.0", default="") AS HomeDir,
                     if(condition=LinkedIdentity,
                        then=plist(file=LinkedIdentity[0],
                                   accessor='data')) as AppleId,
                     if(condition=accountPolicyData,
                        then=plist(file=accountPolicyData[0],
                                   accessor='data')) AS AccountPolicyData
              FROM plist(file=OSPath)

      SELECT Name, RealName, UserShell, HomeDir,
               get(item=AppleId, field="appleid.apple.com") AS AppleId,
               timestamp(epoch=AccountPolicyData.creationTime) AS CreationTime,
               AccountPolicyData.failedLoginCount AS FailedLoginCount,
               timestamp(epoch=AccountPolicyData.failedLoginTimestamp) AS FailedLoginTimestamp,
               timestamp(epoch=AccountPolicyData.passwordLastSetTime) AS PasswordLastSetTime
      FROM foreach(row=user_plist, query={
         SELECT * FROM UserDetails(OSPath= OSPath)
      })
      WHERE NOT OnlyShowRealUsers OR NOT UserShell =~ 'false'