diff --git a/CHANGELOG.md b/CHANGELOG.md index fd660e1e..1de2abb3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,32 @@ ## DEVELOPMENT VERSION +### Artifacts + +- files/applications/ark.yaml: Added collection of metadata about recently opened archive files in Ark, the KDE archive manager [freebsd, linux, netbsd, openbsd]. +- files/applications/dolphin.yaml: Added collection of session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations [freebsd, linux, netbsd, openbsd]. +- files/applications/dragon_player.yaml: Added collection of paths to recently opened video files using the Dragon Player [freebsd, linux, netbsd, openbsd]. +- files/applications/geany.yaml: Added collection of metadata about recently opened files in Geany text editor [freebsd, linux, netbsd, openbsd]. +- files/applications/gedit.yaml: Added collection of metadata about recently opened files in Gedit text editor [freebsd, linux, netbsd, openbsd]. +- files/applications/gnome_text_editor.yaml: Added collection of metadata about recently opened files in Gnome Text Editor [freebsd, linux, netbsd, openbsd]. +- files/applications/katesession.yaml: Added colleection of metadata about recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd]. +- files/applications/okular.yaml: Added collection of metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd]. +- files/system/gvfs_metadata.yaml: Added collection of data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd]. +- files/system/kactivitymanagerd.yaml: Added collection of activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd]. +- files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux]. +- files/system/xdg_autostart.yaml: Added collection of system-wide and user-specific XDG autostart files [linux]. +- live_response/packages/conary.yaml: Added collection of the list of installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). +- live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/packages/paludis.yaml: Added collection of the list of installed packages managed by the Paludis package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). +- live_response/packages/portage.yaml: Added the collection of installed package lists using the Portage package management system [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). +- live_response/storage/findmnt.yaml: Added JSON output format for listing all mounted file systems [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/storage/lsblk.yaml: Added JSON output format for listing block devices [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/system/coredump.yaml: Added collection of core dump files information [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/system/getcap.yaml: Added functionality to collect the list of files with associated process capabilities [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/system/ulimit.yaml: Added collection of all resource limits information [all] ([mnrkbys](https://github.com/mnrkbys)). +- memory_dump/coredump.yaml: Added collection of core dump, ABRT, Apport, and kdump files [esxi, linux, netbsd] ([mnrkbys](https://github.com/mnrkbys)). + ### New Artifacts Properties - Added the new 'redirect_stderr_to_stdout' property, an optional feature available exclusively for the command collector. When set to true, this property redirects all error messages (stderr) to standard output (stdout), ensuring they are written to the output file. diff --git a/artifacts/files/applications/ark.yaml b/artifacts/files/applications/ark.yaml new file mode 100644 index 00000000..b74ab048 --- /dev/null +++ b/artifacts/files/applications/ark.yaml @@ -0,0 +1,28 @@ +version: 1.0 +artifacts: + - + description: Collect metadata about recently opened archive files in Ark, the KDE archive manager. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share + name_pattern: ["ark_recentfiles"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened archive files in Ark, the KDE archive manager (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["ark_recentfiles"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened archive files in Ark, the KDE archive manager (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["ark_recentfiles"] + file_type: [f] + exclude_nologin_users: true + + \ No newline at end of file diff --git a/artifacts/files/applications/dolphin.yaml b/artifacts/files/applications/dolphin.yaml new file mode 100644 index 00000000..1d384692 --- /dev/null +++ b/artifacts/files/applications/dolphin.yaml @@ -0,0 +1,27 @@ +version: 1.0 +artifacts: + - + description: Collect session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.config + name_pattern: ["dolphin_dolphin_dolphin"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["dolphin_dolphin_dolphin"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["dolphin_dolphin_dolphin"] + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/applications/dragon_player.yaml b/artifacts/files/applications/dragon_player.yaml new file mode 100644 index 00000000..ef11cdc1 --- /dev/null +++ b/artifacts/files/applications/dragon_player.yaml @@ -0,0 +1,27 @@ +version: 1.0 +artifacts: + - + description: Collect the paths to recently opened video files using the Dragon Player. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.config + name_pattern: ["dragonplayerrc"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect the paths to recently opened video files using the Dragon Player (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["dragonplayerrc"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect the paths to recently opened video files using the Dragon Player (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["dragonplayerrc"] + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/applications/geany.yaml b/artifacts/files/applications/geany.yaml new file mode 100644 index 00000000..118b13ec --- /dev/null +++ b/artifacts/files/applications/geany.yaml @@ -0,0 +1,32 @@ +version: 1.0 +artifacts: + - + description: Collect metadata about recently opened files in Geany text editor. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.config/geany + name_pattern: ["session.conf"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Geany text editor (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + path_pattern: ["*/config/geany/*"] + name_pattern: ["session.conf"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Geany text editor (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + path_pattern: ["*/.config/geany/*"] + name_pattern: ["session.conf"] + file_type: [f] + exclude_nologin_users: true + + + + \ No newline at end of file diff --git a/artifacts/files/applications/gedit.yaml b/artifacts/files/applications/gedit.yaml new file mode 100644 index 00000000..765646fa --- /dev/null +++ b/artifacts/files/applications/gedit.yaml @@ -0,0 +1,30 @@ +version: 1.0 +artifacts: + - + description: Collect metadata about recently opened files in Gedit text editor. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share + name_pattern: ["gedit-metadata.xml"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Gedit text editor (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["gedit-metadata.xml"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Gedit text editor (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["gedit-metadata.xml"] + file_type: [f] + exclude_nologin_users: true + + + + \ No newline at end of file diff --git a/artifacts/files/applications/gnome_text_editor.yaml b/artifacts/files/applications/gnome_text_editor.yaml new file mode 100644 index 00000000..38cc5239 --- /dev/null +++ b/artifacts/files/applications/gnome_text_editor.yaml @@ -0,0 +1,27 @@ +version: 1.0 +artifacts: + - + description: Collect metadata about recently opened files in Gnome Text Editor. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share + name_pattern: ["session.gvariant"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Gnome Text Editor (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["session.gvariant"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Gnome Text Editor (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["session.gvariant"] + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/applications/google_earth.yaml b/artifacts/files/applications/google_earth.yaml index 344f6647..ee94c4f3 100644 --- a/artifacts/files/applications/google_earth.yaml +++ b/artifacts/files/applications/google_earth.yaml @@ -7,6 +7,13 @@ artifacts: path: /%user_home%/.googleearth name_pattern: ["*.kml"] exclude_nologin_users: true + - + description: Collect Google Earth KML files (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["*.kml"] + exclude_nologin_users: true - description: Collect Google Earth KML files. supported_os: [macos] diff --git a/artifacts/files/applications/gwenview.yaml b/artifacts/files/applications/gwenview.yaml new file mode 100644 index 00000000..468d6393 --- /dev/null +++ b/artifacts/files/applications/gwenview.yaml @@ -0,0 +1,27 @@ +version: 1.0 +artifacts: + - + description: Collect the paths to recently viewed or edited images using Gwenview image viewer. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.config + name_pattern: ["gwenviewrc"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect the paths to recently viewed or edited images using Gwenview image viewer (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["gwenviewrc"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect the paths to recently viewed or edited images using Gwenview image viewer (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["gwenviewrc"] + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/applications/katesession.yaml b/artifacts/files/applications/katesession.yaml new file mode 100644 index 00000000..b0c80a7e --- /dev/null +++ b/artifacts/files/applications/katesession.yaml @@ -0,0 +1,28 @@ +version: 1.0 +artifacts: + - + description: Collect metadata about recently opened files in Kwrite and Kate text editors. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share + name_pattern: ["anonymous.katesession"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Kwrite and Kate text editors (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["anonymous.katesession"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Kwrite and Kate text editors (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["anonymous.katesession"] + file_type: [f] + exclude_nologin_users: true + + \ No newline at end of file diff --git a/artifacts/files/applications/okular.yaml b/artifacts/files/applications/okular.yaml new file mode 100644 index 00000000..01f39d5b --- /dev/null +++ b/artifacts/files/applications/okular.yaml @@ -0,0 +1,54 @@ +version: 1.0 +artifacts: + - + description: Collect metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share + path_pattern: ["*/okular/docdata/*"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect Okular configuration file. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.config + name_pattern: ["okularrc"] + file_type: [f] + ignore_date_range: true + exclude_nologin_users: true + - + description: Collect metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + path_pattern: ["*/okular/docdata/*"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect Okular configuration file (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["okularrc"] + file_type: [f] + ignore_date_range: true + exclude_nologin_users: true + - + description: Collect metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + path_pattern: ["*/okular/docdata/*"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect Okular configuration file (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["okularrc"] + file_type: [f] + ignore_date_range: true + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/browsers/firefox.yaml b/artifacts/files/browsers/firefox.yaml index 39a44b00..114c7155 100644 --- a/artifacts/files/browsers/firefox.yaml +++ b/artifacts/files/browsers/firefox.yaml @@ -1,11 +1,11 @@ -version: 4.0 +version: 4.1 artifacts: - description: Collect Firefox browser files. supported_os: [freebsd, linux] collector: file path: /%user_home%/.mozilla/firefox - name_pattern: ["addons.*", "bookmarks.sqlite*", "cookies.sqlite*", "downloads.sqlite*", "extensions.json", "favicons.sqlite*", "firefox_cookies.sqlite*", "formhistory.sqlite*", "key*.db", "logins.json", "permissions.sqlite*", "places.sqlite*", "prefs.js", "protections.sqlite*", "search.sqlite*", "signon*.*", "signons.sqlite*", "storage-sync*.sqlite*", "webappstore.sqlite*"] + name_pattern: ["addons.*", "bookmarks.sqlite*", "cookies.sqlite*", "downloads.rdf", "downloads.sqlite*", "extensions.json", "favicons.sqlite*", "firefox_cookies.sqlite*", "formhistory.sqlite*", "key*.db", "logins.json", "permissions.sqlite*", "places.sqlite*", "prefs.js", "protections.sqlite*", "search.sqlite*", "signon*.*", "signons.sqlite*", "storage-sync*.sqlite*", "webappstore.sqlite*"] ignore_date_range: true exclude_nologin_users: true - diff --git a/artifacts/files/packages/dpkg.yaml b/artifacts/files/packages/dpkg.yaml index e2d7a078..c1f11b08 100644 --- a/artifacts/files/packages/dpkg.yaml +++ b/artifacts/files/packages/dpkg.yaml @@ -1,4 +1,4 @@ -version: 1.0 +version: 1.1 artifacts: - description: Collect dpkg packages status file. @@ -6,4 +6,9 @@ artifacts: collector: file path: /var/lib/dpkg/status ignore_date_range: true - \ No newline at end of file + - + description: Collect dpkg packages log file. + supported_os: [linux] + collector: file + path: /var/log/dpkg.log + ignore_date_range: true diff --git a/artifacts/files/system/etc.yaml b/artifacts/files/system/etc.yaml index dd3292c8..c4ad2726 100644 --- a/artifacts/files/system/etc.yaml +++ b/artifacts/files/system/etc.yaml @@ -23,3 +23,7 @@ artifacts: exclude_name_pattern: ["shadow", "shadow-"] file_type: [f] ignore_date_range: true + +# References: +# https://www.elastic.co/security-labs/primer-on-persistence-mechanisms +# https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms \ No newline at end of file diff --git a/artifacts/files/system/gvfs_metadata.yaml b/artifacts/files/system/gvfs_metadata.yaml new file mode 100644 index 00000000..9cada497 --- /dev/null +++ b/artifacts/files/system/gvfs_metadata.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect data from the gvfs-metadata directory to retrieve user-specific metadata, such as local and remote file access details, custom properties, and interaction history. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share/gvfs-metadata + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/system/kactivitymanagerd.yaml b/artifacts/files/system/kactivitymanagerd.yaml new file mode 100644 index 00000000..a1edd047 --- /dev/null +++ b/artifacts/files/system/kactivitymanagerd.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share/kactivitymanagerd/resources + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/system/upstart.yaml b/artifacts/files/system/upstart.yaml new file mode 100644 index 00000000..4ce633a4 --- /dev/null +++ b/artifacts/files/system/upstart.yaml @@ -0,0 +1,25 @@ +version: 1.0 +artifacts: + - + description: Collect system-wide Upstart configuration files. + supported_os: [linux] + collector: file + path: /etc/init + - + description: Collect system-wide Upstart configuration files. + supported_os: [linux] + collector: file + path: /etc/xdg/upstart + - + description: Collect system-wide Upstart configuration files. + supported_os: [linux] + collector: file + path: /usr/share/upstart/sessions + - + description: Collect user-session Upstart configuration files. + supported_os: [linux] + collector: file + path: /%user_home%/.config/upstart + +# References: +# https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms \ No newline at end of file diff --git a/artifacts/files/system/xdg_autostart.yaml b/artifacts/files/system/xdg_autostart.yaml new file mode 100644 index 00000000..82cb486b --- /dev/null +++ b/artifacts/files/system/xdg_autostart.yaml @@ -0,0 +1,30 @@ +version: 1.0 +artifacts: + - + description: Collect system-wide XDG autostart files. + supported_os: [linux] + collector: file + path: /etc/xdg/autostart + - + description: Collect system-wide XDG autostart files. + supported_os: [linux] + collector: file + path: /usr/share/autostart + - + description: Collect user-specific XDG autostart files. + supported_os: [linux] + collector: file + path: /%user_home%/.config/autostart + - + description: Collect user-specific XDG autostart files. + supported_os: [linux] + collector: file + path: /%user_home%/.local/share/autostart + - + description: Collect user-specific XDG autostart files (not part of XDG standard, but used by KDE). + supported_os: [linux] + collector: file + path: /%user_home%/.config/autostart-scripts + +# References: +# https://www.elastic.co/security-labs/primer-on-persistence-mechanisms \ No newline at end of file diff --git a/artifacts/live_response/packages/conary.yaml b/artifacts/live_response/packages/conary.yaml new file mode 100644 index 00000000..c9e71134 --- /dev/null +++ b/artifacts/live_response/packages/conary.yaml @@ -0,0 +1,11 @@ +version: 1.0 +condition: command_exists "conary" +output_directory: /live_response/packages +artifacts: + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: conary query + output_file: conary_query.txt + \ No newline at end of file diff --git a/artifacts/live_response/packages/dpkg.yaml b/artifacts/live_response/packages/dpkg.yaml index f150ec6d..07e373ab 100644 --- a/artifacts/live_response/packages/dpkg.yaml +++ b/artifacts/live_response/packages/dpkg.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 2.1 condition: command_exists "dpkg" output_directory: /live_response/packages artifacts: @@ -8,3 +8,9 @@ artifacts: collector: command command: dpkg -l output_file: dpkg_-l.txt + - + description: Verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database. + supported_os: [linux] + collector: command + command: dpkg -V + output_file: dpkg_-V.txt diff --git a/artifacts/live_response/packages/package_owns_file.yaml b/artifacts/live_response/packages/package_owns_file.yaml new file mode 100644 index 00000000..ed231c31 --- /dev/null +++ b/artifacts/live_response/packages/package_owns_file.yaml @@ -0,0 +1,97 @@ +version: 1.0 +condition: command_exists "dpkg" || command_exists "pacman" || command_exists "rpm" +output_directory: /live_response/packages +artifacts: + - + description: List filenames under /bin/. + supported_os: [linux] + collector: find + path: /bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /sbin/. + supported_os: [linux] + collector: find + path: /sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/bin/. + supported_os: [linux] + collector: find + path: /usr/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/sbin/. + supported_os: [linux] + collector: find + path: /usr/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/local/bin/. + supported_os: [linux] + collector: find + path: /usr/local/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/local/sbin/. + supported_os: [linux] + collector: find + path: /usr/local/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /opt/bin/. + supported_os: [linux] + collector: find + path: /opt/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /opt/sbin/. + supported_os: [linux] + collector: find + path: /opt/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: Determine which installed package owns a specific file or command. + supported_os: [linux] + collector: command + condition: command_exists "dpkg" + foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt + command: dpkg -S "%line%" + output_directory: /live_response/packages + output_file: dpkg_-S.txt + redirect_stderr_to_stdout: true + - + description: Determine which installed package owns a specific file or command. + supported_os: [linux] + collector: command + condition: command_exists "pacman" + foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt + command: pacman -Q -o "%line%" + output_directory: /live_response/packages + output_file: pacman_-Q_-o.txt + redirect_stderr_to_stdout: true + - + description: Determine which installed package owns a specific file or command. + supported_os: [linux] + collector: command + condition: command_exists "rpm" + foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt + command: rpm -q -f "%line%" | sed -e "s|$|: %line%|" + output_directory: /live_response/packages + output_file: rpm_-q_-f.txt diff --git a/artifacts/live_response/packages/paludis.yaml b/artifacts/live_response/packages/paludis.yaml new file mode 100644 index 00000000..1a3af98e --- /dev/null +++ b/artifacts/live_response/packages/paludis.yaml @@ -0,0 +1,10 @@ +version: 1.0 +condition: command_exists "cave" +output_directory: /live_response/packages +artifacts: + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: cave show installed-packages + output_file: cave_show_installed-packages.txt diff --git a/artifacts/live_response/packages/portage.yaml b/artifacts/live_response/packages/portage.yaml new file mode 100644 index 00000000..e91b107d --- /dev/null +++ b/artifacts/live_response/packages/portage.yaml @@ -0,0 +1,17 @@ +version: 1.0 +condition: command_exists "equery" +output_directory: /live_response/packages +artifacts: + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: equery list '*' + output_file: equery_list.txt + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: cat /var/lib/portage/world + output_file: cat_var_lib_portage_world.txt + \ No newline at end of file diff --git a/artifacts/live_response/packages/rpm.yaml b/artifacts/live_response/packages/rpm.yaml index 83cad07a..cd172e40 100644 --- a/artifacts/live_response/packages/rpm.yaml +++ b/artifacts/live_response/packages/rpm.yaml @@ -20,4 +20,3 @@ artifacts: collector: command command: rpm -V -a output_file: rpm_-V_-a.txt - \ No newline at end of file diff --git a/artifacts/live_response/storage/findmnt.yaml b/artifacts/live_response/storage/findmnt.yaml index e744487b..f4a80e74 100644 --- a/artifacts/live_response/storage/findmnt.yaml +++ b/artifacts/live_response/storage/findmnt.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 2.1 condition: command_exists "findmnt" output_directory: /live_response/storage artifacts: @@ -8,4 +8,9 @@ artifacts: collector: command command: findmnt --ascii output_file: findmnt.txt - \ No newline at end of file + - + description: Displays all mounted file systems in the tree-like format as JSON. + supported_os: [linux] + collector: command + command: findmnt -J + output_file: findmnt_-J.txt diff --git a/artifacts/live_response/storage/lsblk.yaml b/artifacts/live_response/storage/lsblk.yaml index 2ba72e07..01c677cc 100644 --- a/artifacts/live_response/storage/lsblk.yaml +++ b/artifacts/live_response/storage/lsblk.yaml @@ -1,4 +1,4 @@ -version: 3.0 +version: 3.1 condition: command_exists "lsblk" output_directory: /live_response/storage artifacts: @@ -8,16 +8,33 @@ artifacts: collector: command command: lsblk output_file: lsblk.txt + - + description: List block devices as JSON. + supported_os: [linux] + collector: command + command: lsblk -J + output_file: lsblk_-J.txt - description: List block devices. supported_os: [linux] collector: command command: lsblk -l output_file: lsblk_-l.txt + - + description: List block devices as JSON. + supported_os: [linux] + collector: command + command: lsblk -l -J + output_file: lsblk_-l_-J.txt - description: List block devices including information about filesystems. supported_os: [linux] collector: command command: lsblk -f output_file: lsblk_-f.txt - \ No newline at end of file + - + description: List block devices including information about filesystems as JSON. + supported_os: [linux] + collector: command + command: lsblk -f -J + output_file: lsblk_-f_-J.txt diff --git a/artifacts/live_response/system/coredump.yaml b/artifacts/live_response/system/coredump.yaml new file mode 100644 index 00000000..57dc5c63 --- /dev/null +++ b/artifacts/live_response/system/coredump.yaml @@ -0,0 +1,31 @@ +version: 1.0 +output_directory: /live_response/system +artifacts: + - + description: Display the coredump file name pattern. + supported_os: [linux] + collector: command + command: cat /proc/sys/kernel/core_pattern + output_file: core_pattern.txt + - + description: List all coredump files. + supported_os: [linux] + collector: command + condition: command_exists "coredumpctl" + command: coredumpctl list + output_file: coredumpctl_list.txt + - + description: Display info of all coredump files. + supported_os: [linux] + collector: command + condition: command_exists "coredumpctl" + foreach: coredumpctl list --no-legend | awk '{print $5}' + command: coredumpctl info %line% + output_file: coredumpctl_info_%line%.txt + - + description: Get extended attributes of all coredump files. + supported_os: [linux] + collector: command + condition: command_exists "getfattr" + command: getfattr -R -d --absolute-names /var/lib/systemd/coredump + output_file: getfattr_coredump.txt diff --git a/artifacts/live_response/system/getcap.yaml b/artifacts/live_response/system/getcap.yaml new file mode 100644 index 00000000..2dcaa7f8 --- /dev/null +++ b/artifacts/live_response/system/getcap.yaml @@ -0,0 +1,13 @@ +version: 1.0 +condition: command_exists "getcap" +output_directory: /live_response/system +# abuse process capabilities +# ref: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms +artifacts: + - + description: List files that have process capabilities. + supported_os: [linux] + collector: command + foreach: ls -d /* | grep -vE '^/(proc|sys|dev|boot|run|swapfile)$' + command: getcap -r "%line%"/* + output_file: getcap_-r.txt diff --git a/artifacts/live_response/system/ulimit.yaml b/artifacts/live_response/system/ulimit.yaml new file mode 100644 index 00000000..02635764 --- /dev/null +++ b/artifacts/live_response/system/ulimit.yaml @@ -0,0 +1,10 @@ +version: 1.0 +condition: command_exists "ulimit" +output_directory: /live_response/system +artifacts: + - + description: Display all resource limits. + supported_os: [all] + collector: command + command: ulimit -a + output_file: ulimit_-a.txt diff --git a/artifacts/memory_dump/coredump.yaml b/artifacts/memory_dump/coredump.yaml new file mode 100644 index 00000000..2a4cc8b7 --- /dev/null +++ b/artifacts/memory_dump/coredump.yaml @@ -0,0 +1,39 @@ +version: 1.0 +artifacts: + - + description: Collect core dump files from /var/core/. + supported_os: [esxi] + collector: file + path: /var/core/* + - + description: Collect core dump files from /var/lib/systemd/. + supported_os: [linux] + collector: file + path: /var/lib/systemd/coredump + name_pattern: ["core.*"] + file_type: [f] + - + description: Collect ABRT files. + supported_os: [linux] + collector: file + path: /var/spool/abrt + - + description: Collect ABRT files. + supported_os: [linux] + collector: file + path: /var/spool/abrt-upload + - + description: Collect ABRT files. + supported_os: [linux] + collector: file + path: /var/tmp/abrt + - + description: Collect Apport or kdump files. + supported_os: [linux] + collector: file + path: /var/crash + - + description: Collect core dump files from /stand/*/*/modules/coredump/. + supported_os: [netbsd] + collector: file + path: /stand/*/*/modules/coredump/* \ No newline at end of file diff --git a/profiles/full.yaml b/profiles/full.yaml index 1bdaaceb..49c02a3c 100644 --- a/profiles/full.yaml +++ b/profiles/full.yaml @@ -20,6 +20,7 @@ artifacts: - live_response/system/* - live_response/hardware/* - live_response/packages/* + - !live_response/packages/package_owns_file.yaml - live_response/storage/* - live_response/containers/* - live_response/vms/* diff --git a/profiles/ir_triage.yaml b/profiles/ir_triage.yaml index f0008c80..c1fdecbd 100644 --- a/profiles/ir_triage.yaml +++ b/profiles/ir_triage.yaml @@ -20,6 +20,7 @@ artifacts: - live_response/system/* - live_response/hardware/* - live_response/packages/* + - !live_response/packages/package_owns_file.yaml - live_response/storage/* - live_response/containers/* - live_response/vms/*