Private/New-AuditRecord.ps1
|
function New-AuditRecord { param( [string]$Category, [string]$Name, [string]$SourcePath, [string]$ExecutablePath, [string]$BundlePath = "", [string]$PlistPath = "", [string]$LaunchLabel = "", [string]$ProcessId = "", [string]$ProcessUser = "", [string]$ProcessArchitecture = "", [bool]$IncludeDependencies = $false ) if ([string]::IsNullOrWhiteSpace($BundlePath)) { $BundlePath = Find-BundleFromExecutable -ExecutablePath $ExecutablePath } $arch = Get-BinaryArchitecture -Path $ExecutablePath $sig = Get-CodeSignatureInfo -Path $ExecutablePath $meta = Get-AppMetadata -BundlePath $BundlePath -ExecutablePath $ExecutablePath -FallbackName $Name if (-not [string]::IsNullOrWhiteSpace($PlistPath)) { $LaunchLabel = Get-PlistValue -PlistPath $PlistPath -Key "Label" } $vendor = @( $sig.Vendor, $meta.MdAuthors, $meta.Copyright ) | Where-Object { -not [string]::IsNullOrWhiteSpace($_) } | Select-Object -First 1 if ([string]::IsNullOrWhiteSpace($vendor) -and $sig.Authority -match "Apple") { $vendor = "Apple" } $currentlyUsingRosetta = $false $rosettaRuntimeReason = "" if ($Category -eq "RunningProcess") { if ($ProcessArchitecture -match "x86_64|i386") { $currentlyUsingRosetta = $true $rosettaRuntimeReason = "Laufender Prozess wird als Intel/x86_64 ausgeführt" } elseif ($arch.RosettaNeeded) { $currentlyUsingRosetta = $true $rosettaRuntimeReason = "Laufende Binary ist Intel-only" } } $deps = @() $intelDeps = @() if ($IncludeDependencies) { $deps = Get-BinaryDependencies -Path $ExecutablePath foreach ($dep in $deps) { if (Test-Path -LiteralPath $dep) { $depArch = Get-BinaryArchitecture -Path $dep if ($depArch.RosettaNeeded) { $intelDeps += $dep } } } } [pscustomobject]@{ Category = $Category DisplayName = $meta.DisplayName Name = $Name Vendor = $vendor Version = $meta.Version BundleDisplayName = $meta.BundleDisplayName BundleName = $meta.BundleName BundleId = $meta.BundleId BundleExecutable = $meta.BundleExecutable BundleVersion = $meta.BundleVersion BundleShortVersion = $meta.BundleShortVersion MdAuthors = $meta.MdAuthors Copyright = $meta.Copyright GetInfoString = $meta.GetInfoString SourcePath = $SourcePath BundlePath = $BundlePath PlistPath = $PlistPath LaunchLabel = $LaunchLabel ExecutablePath = $ExecutablePath ProcessId = $ProcessId ProcessUser = $ProcessUser ProcessArchitecture = $ProcessArchitecture CurrentlyUsingRosetta = $currentlyUsingRosetta RosettaRuntimeReason = $rosettaRuntimeReason Type = $arch.Type Architectures = $arch.Architectures RosettaNeeded = $arch.RosettaNeeded Status = $arch.Status Reason = $arch.Reason Signed = $sig.Signed SignatureId = $sig.Identifier TeamIdentifier = $sig.TeamIdentifier Authority = $sig.Authority Dependencies = $deps IntelDependencies = $intelDeps DependencyCount = @($deps).Count IntelDepCount = @($intelDeps).Count } } |