From d1d2e1d14a3307deb102e7acbed619557b05104b Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Mon, 22 Jul 2024 16:00:33 +0900 Subject: [PATCH 01/23] artif: new artifacts related to dpkg and rpm Updated to collect dpkg.log and verify installed files. Also, search for package name that contains installed files. --- artifacts/files/packages/dpkg.yaml | 9 ++- artifacts/live_response/packages/dpkg.yaml | 64 +++++++++++++++++++++- artifacts/live_response/packages/rpm.yaml | 43 ++++++++++++++- 3 files changed, 111 insertions(+), 5 deletions(-) diff --git a/artifacts/files/packages/dpkg.yaml b/artifacts/files/packages/dpkg.yaml index e2d7a078..c1f11b08 100644 --- a/artifacts/files/packages/dpkg.yaml +++ b/artifacts/files/packages/dpkg.yaml @@ -1,4 +1,4 @@ -version: 1.0 +version: 1.1 artifacts: - description: Collect dpkg packages status file. @@ -6,4 +6,9 @@ artifacts: collector: file path: /var/lib/dpkg/status ignore_date_range: true - \ No newline at end of file + - + description: Collect dpkg packages log file. + supported_os: [linux] + collector: file + path: /var/log/dpkg.log + ignore_date_range: true diff --git a/artifacts/live_response/packages/dpkg.yaml b/artifacts/live_response/packages/dpkg.yaml index f150ec6d..7a97aa2b 100644 --- a/artifacts/live_response/packages/dpkg.yaml +++ b/artifacts/live_response/packages/dpkg.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 2.1 condition: command_exists "dpkg" output_directory: /live_response/packages artifacts: @@ -8,3 +8,65 @@ artifacts: collector: command command: dpkg -l output_file: dpkg_-l.txt + - + description: Verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database. + supported_os: [linux] + collector: command + command: dpkg -V + output_file: dpkg_-V.txt + - + description: List filenames under /sbin/. + supported_os: [linux] + collector: find + path: /sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/sbin/. + supported_os: [linux] + collector: find + path: /usr/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /bin/. + supported_os: [linux] + collector: find + path: /bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/bin/. + supported_os: [linux] + collector: find + path: /usr/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /opt/. + supported_os: [linux] + collector: find + path: /opt/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/local/. + supported_os: [linux] + collector: find + path: /usr/local/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: Search for a filename from installed packages. + supported_os: [linux] + collector: command + foreach: cat /%temp_directory%/live_response/packages/binary_files.txt + command: dpkg -S "%line%" 2>&1 + output_directory: /live_response/packages + output_file: dpkg_-S.txt diff --git a/artifacts/live_response/packages/rpm.yaml b/artifacts/live_response/packages/rpm.yaml index 83cad07a..fec8a616 100644 --- a/artifacts/live_response/packages/rpm.yaml +++ b/artifacts/live_response/packages/rpm.yaml @@ -1,4 +1,4 @@ -version: 3.0 +version: 3.1 condition: command_exists "rpm" output_directory: /live_response/packages artifacts: @@ -20,4 +20,43 @@ artifacts: collector: command command: rpm -V -a output_file: rpm_-V_-a.txt - \ No newline at end of file + - + description: List filenames under /usr/sbin/. + supported_os: [aix, linux] + collector: find + path: /usr/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/bin/. + supported_os: [aix, linux] + collector: find + path: /usr/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /opt/. + supported_os: [aix, linux] + collector: find + path: /opt/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/local/. + supported_os: [aix, linux] + collector: find + path: /usr/local/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: Search for a filename from installed packages. + supported_os: [aix, linux] + collector: command + foreach: cat /%temp_directory%/live_response/packages/binary_files.txt + command: rpm -q -f "%line%" | sed 's|$|: %line%|' + output_directory: /live_response/packages + output_file: rpm_-q_-f.txt From 308397ca51f3728ac55f1be9d952136600fa6b21 Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Mon, 2 Sep 2024 10:44:01 +0900 Subject: [PATCH 02/23] artif: collect coredump files Add new artifacts to collect coredump files. The coredump files themselves may not directly help in analyzing incidents, but they are useful for building a timeline of the command execution history. --- artifacts/files/system/coredump.yaml | 29 ++++++++++++++++++ artifacts/live_response/system/coredump.yaml | 31 ++++++++++++++++++++ artifacts/live_response/system/ulimit.yaml | 10 +++++++ 3 files changed, 70 insertions(+) create mode 100644 artifacts/files/system/coredump.yaml create mode 100644 artifacts/live_response/system/coredump.yaml create mode 100644 artifacts/live_response/system/ulimit.yaml diff --git a/artifacts/files/system/coredump.yaml b/artifacts/files/system/coredump.yaml new file mode 100644 index 00000000..ee87a81c --- /dev/null +++ b/artifacts/files/system/coredump.yaml @@ -0,0 +1,29 @@ +version: 1.0 +artifacts: + - + description: Collect core dump files. + supported_os: [aix, esxi, freebsd, linux, netbsd, openbsd, solaris] + collector: file + path: / + name_pattern: ["core", "core.*", "*.core"] + file_type: [f] + - + description: Collect ABRT files. + supported_os: [linux] + collector: file + path: /var/spool/abrt + - + description: Collect ABRT files. + supported_os: [linux] + collector: file + path: /var/spool/abrt-upload + - + description: Collect ABRT files. + supported_os: [linux] + collector: file + path: /var/tmp/abrt + - + description: Collect Apport or kdump files. + supported_os: [linux] + collector: file + path: /var/crash diff --git a/artifacts/live_response/system/coredump.yaml b/artifacts/live_response/system/coredump.yaml new file mode 100644 index 00000000..2032aa14 --- /dev/null +++ b/artifacts/live_response/system/coredump.yaml @@ -0,0 +1,31 @@ +version: 1.0 +output_directory: /live_response/system +artifacts: + - + description: Display the coredump file name pattern. + supported_os: [linux] + collector: command + command: cat /proc/sys/kernel/core_pattern + output_file: core_pattern.txt + - + description: List all coredump files. + supported_os: [linux] + collector: command + condition: command_exists "coredumpctl" + command: coredumpctl list + output_file: coredumpctl_list.txt + - + description: Display info of all coredump files. + supported_os: [linux] + collector: command + condition: command_exists "coredumpctl" + foreach: coredumpctl list --no-legend | awk '{print $5}' + command: coredumpctl info %line% + output_file: coredumpctl_info_%line%.txt + - + description: Get extended attributes of all coredump files. + supported_os: [linux] + collector: command + condition: command_exists "getfattr" + command: getfattr -R -d --absolute-names /var/lib/systemd/coredump + output_file: getfattr_coredump.txt diff --git a/artifacts/live_response/system/ulimit.yaml b/artifacts/live_response/system/ulimit.yaml new file mode 100644 index 00000000..09e50869 --- /dev/null +++ b/artifacts/live_response/system/ulimit.yaml @@ -0,0 +1,10 @@ +version: 1.0 +output_directory: /live_response/system +artifacts: + - + description: Display all resource limits. + supported_os: [aix, esxi, freebsd, linux, netbsd, openbsd, solaris] + collector: command + condition: command_exists "ulimit" + command: ulimit -a + output_file: ulimit.txt From f2193ed033b805b27fa789af6532e1c238a6c224 Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Mon, 2 Sep 2024 11:14:17 +0900 Subject: [PATCH 03/23] artif: changed line feed in ulimit.yaml and coredump.yaml Changed line feed code from CRLF to LF. --- artifacts/files/system/coredump.yaml | 58 +++++++++--------- artifacts/live_response/system/coredump.yaml | 62 ++++++++++---------- artifacts/live_response/system/ulimit.yaml | 20 +++---- 3 files changed, 70 insertions(+), 70 deletions(-) diff --git a/artifacts/files/system/coredump.yaml b/artifacts/files/system/coredump.yaml index ee87a81c..b3d885fe 100644 --- a/artifacts/files/system/coredump.yaml +++ b/artifacts/files/system/coredump.yaml @@ -1,29 +1,29 @@ -version: 1.0 -artifacts: - - - description: Collect core dump files. - supported_os: [aix, esxi, freebsd, linux, netbsd, openbsd, solaris] - collector: file - path: / - name_pattern: ["core", "core.*", "*.core"] - file_type: [f] - - - description: Collect ABRT files. - supported_os: [linux] - collector: file - path: /var/spool/abrt - - - description: Collect ABRT files. - supported_os: [linux] - collector: file - path: /var/spool/abrt-upload - - - description: Collect ABRT files. - supported_os: [linux] - collector: file - path: /var/tmp/abrt - - - description: Collect Apport or kdump files. - supported_os: [linux] - collector: file - path: /var/crash +version: 1.0 +artifacts: + - + description: Collect core dump files. + supported_os: [aix, esxi, freebsd, linux, netbsd, openbsd, solaris] + collector: file + path: / + name_pattern: ["core", "core.*", "*.core"] + file_type: [f] + - + description: Collect ABRT files. + supported_os: [linux] + collector: file + path: /var/spool/abrt + - + description: Collect ABRT files. + supported_os: [linux] + collector: file + path: /var/spool/abrt-upload + - + description: Collect ABRT files. + supported_os: [linux] + collector: file + path: /var/tmp/abrt + - + description: Collect Apport or kdump files. + supported_os: [linux] + collector: file + path: /var/crash diff --git a/artifacts/live_response/system/coredump.yaml b/artifacts/live_response/system/coredump.yaml index 2032aa14..57dc5c63 100644 --- a/artifacts/live_response/system/coredump.yaml +++ b/artifacts/live_response/system/coredump.yaml @@ -1,31 +1,31 @@ -version: 1.0 -output_directory: /live_response/system -artifacts: - - - description: Display the coredump file name pattern. - supported_os: [linux] - collector: command - command: cat /proc/sys/kernel/core_pattern - output_file: core_pattern.txt - - - description: List all coredump files. - supported_os: [linux] - collector: command - condition: command_exists "coredumpctl" - command: coredumpctl list - output_file: coredumpctl_list.txt - - - description: Display info of all coredump files. - supported_os: [linux] - collector: command - condition: command_exists "coredumpctl" - foreach: coredumpctl list --no-legend | awk '{print $5}' - command: coredumpctl info %line% - output_file: coredumpctl_info_%line%.txt - - - description: Get extended attributes of all coredump files. - supported_os: [linux] - collector: command - condition: command_exists "getfattr" - command: getfattr -R -d --absolute-names /var/lib/systemd/coredump - output_file: getfattr_coredump.txt +version: 1.0 +output_directory: /live_response/system +artifacts: + - + description: Display the coredump file name pattern. + supported_os: [linux] + collector: command + command: cat /proc/sys/kernel/core_pattern + output_file: core_pattern.txt + - + description: List all coredump files. + supported_os: [linux] + collector: command + condition: command_exists "coredumpctl" + command: coredumpctl list + output_file: coredumpctl_list.txt + - + description: Display info of all coredump files. + supported_os: [linux] + collector: command + condition: command_exists "coredumpctl" + foreach: coredumpctl list --no-legend | awk '{print $5}' + command: coredumpctl info %line% + output_file: coredumpctl_info_%line%.txt + - + description: Get extended attributes of all coredump files. + supported_os: [linux] + collector: command + condition: command_exists "getfattr" + command: getfattr -R -d --absolute-names /var/lib/systemd/coredump + output_file: getfattr_coredump.txt diff --git a/artifacts/live_response/system/ulimit.yaml b/artifacts/live_response/system/ulimit.yaml index 09e50869..9ffc5b89 100644 --- a/artifacts/live_response/system/ulimit.yaml +++ b/artifacts/live_response/system/ulimit.yaml @@ -1,10 +1,10 @@ -version: 1.0 -output_directory: /live_response/system -artifacts: - - - description: Display all resource limits. - supported_os: [aix, esxi, freebsd, linux, netbsd, openbsd, solaris] - collector: command - condition: command_exists "ulimit" - command: ulimit -a - output_file: ulimit.txt +version: 1.0 +output_directory: /live_response/system +artifacts: + - + description: Display all resource limits. + supported_os: [aix, esxi, freebsd, linux, netbsd, openbsd, solaris] + collector: command + condition: command_exists "ulimit" + command: ulimit -a + output_file: ulimit.txt From 20d791ffb2940691072ae7a349b756878d32e9db Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Tue, 10 Sep 2024 17:00:20 +0900 Subject: [PATCH 04/23] artif: collect process capabilities Add a new artifact to collect the process capabilities of files on the system. --- artifacts/live_response/system/getcap.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 artifacts/live_response/system/getcap.yaml diff --git a/artifacts/live_response/system/getcap.yaml b/artifacts/live_response/system/getcap.yaml new file mode 100644 index 00000000..5d230155 --- /dev/null +++ b/artifacts/live_response/system/getcap.yaml @@ -0,0 +1,13 @@ +version: 1.0 +condition: command_exists "getcap" +output_directory: /live_response/system +# abuse process capabilities +# ref: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms +artifacts: + - + description: List files that have process capabilities. + supported_os: [linux] + collector: command + foreach: ls -d /* | grep -vE '^/(proc|sys|dev|boot|run|swapfile)$' + command: getcap -r %line% + output_file: getcap_-r.txt From 03476edbb4d74b8c13512ee621e314c50ef9bdf4 Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Wed, 18 Sep 2024 16:53:03 +0900 Subject: [PATCH 05/23] artif: add lib directories Add /usr/lib, /usr/lib32, /usr/lib64, /usr/libx32 --- artifacts/live_response/packages/dpkg.yaml | 64 ++++++++++++++++++++++ artifacts/live_response/packages/rpm.yaml | 32 +++++++++++ 2 files changed, 96 insertions(+) diff --git a/artifacts/live_response/packages/dpkg.yaml b/artifacts/live_response/packages/dpkg.yaml index 7a97aa2b..4da23ec9 100644 --- a/artifacts/live_response/packages/dpkg.yaml +++ b/artifacts/live_response/packages/dpkg.yaml @@ -46,6 +46,70 @@ artifacts: file_type: [f, l] output_directory: /%temp_directory%/live_response/packages output_file: binary_files.txt + - + description: List filenames under /lib/. + supported_os: [linux] + collector: find + path: /lib/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/lib/. + supported_os: [linux] + collector: find + path: /usr/lib/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /lib32/. + supported_os: [linux] + collector: find + path: /lib32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/lib32/. + supported_os: [linux] + collector: find + path: /usr/lib32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /lib64/. + supported_os: [linux] + collector: find + path: /lib64/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/lib64/. + supported_os: [linux] + collector: find + path: /usr/lib64/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /libx32/. + supported_os: [linux] + collector: find + path: /libx32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/libx32/. + supported_os: [linux] + collector: find + path: /usr/libx32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt - description: List filenames under /opt/. supported_os: [linux] diff --git a/artifacts/live_response/packages/rpm.yaml b/artifacts/live_response/packages/rpm.yaml index fec8a616..0d08c7cd 100644 --- a/artifacts/live_response/packages/rpm.yaml +++ b/artifacts/live_response/packages/rpm.yaml @@ -36,6 +36,38 @@ artifacts: file_type: [f, l] output_directory: /%temp_directory%/live_response/packages output_file: binary_files.txt + - + description: List filenames under /usr/lib/. + supported_os: [aix, linux] + collector: find + path: /usr/lib/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/lib32/. + supported_os: [aix, linux] + collector: find + path: /usr/lib32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/lib64/. + supported_os: [aix, linux] + collector: find + path: /usr/lib64/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/libx32/. + supported_os: [aix, linux] + collector: find + path: /usr/libx32/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt - description: List filenames under /opt/. supported_os: [aix, linux] From 8bceef61da913f9dba3cc006f3f15f4a4eee2659 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Wed, 27 Nov 2024 08:05:07 -0300 Subject: [PATCH 06/23] artif: new artifact Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles --- CHANGELOG.md | 5 + artifacts/live_response/packages/dpkg.yaml | 120 ------------------ .../packages/package_owns_file.yaml | 97 ++++++++++++++ artifacts/live_response/packages/rpm.yaml | 74 +---------- profiles/full.yaml | 1 + profiles/ir_triage.yaml | 1 + 6 files changed, 105 insertions(+), 193 deletions(-) create mode 100644 artifacts/live_response/packages/package_owns_file.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index fd660e1e..110dc0c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ ## DEVELOPMENT VERSION +### Artifacts + +- live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)). + ### New Artifacts Properties - Added the new 'redirect_stderr_to_stdout' property, an optional feature available exclusively for the command collector. When set to true, this property redirects all error messages (stderr) to standard output (stdout), ensuring they are written to the output file. diff --git a/artifacts/live_response/packages/dpkg.yaml b/artifacts/live_response/packages/dpkg.yaml index 4da23ec9..07e373ab 100644 --- a/artifacts/live_response/packages/dpkg.yaml +++ b/artifacts/live_response/packages/dpkg.yaml @@ -14,123 +14,3 @@ artifacts: collector: command command: dpkg -V output_file: dpkg_-V.txt - - - description: List filenames under /sbin/. - supported_os: [linux] - collector: find - path: /sbin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/sbin/. - supported_os: [linux] - collector: find - path: /usr/sbin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /bin/. - supported_os: [linux] - collector: find - path: /bin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/bin/. - supported_os: [linux] - collector: find - path: /usr/bin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /lib/. - supported_os: [linux] - collector: find - path: /lib/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib/. - supported_os: [linux] - collector: find - path: /usr/lib/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /lib32/. - supported_os: [linux] - collector: find - path: /lib32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib32/. - supported_os: [linux] - collector: find - path: /usr/lib32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /lib64/. - supported_os: [linux] - collector: find - path: /lib64/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib64/. - supported_os: [linux] - collector: find - path: /usr/lib64/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /libx32/. - supported_os: [linux] - collector: find - path: /libx32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/libx32/. - supported_os: [linux] - collector: find - path: /usr/libx32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /opt/. - supported_os: [linux] - collector: find - path: /opt/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/local/. - supported_os: [linux] - collector: find - path: /usr/local/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: Search for a filename from installed packages. - supported_os: [linux] - collector: command - foreach: cat /%temp_directory%/live_response/packages/binary_files.txt - command: dpkg -S "%line%" 2>&1 - output_directory: /live_response/packages - output_file: dpkg_-S.txt diff --git a/artifacts/live_response/packages/package_owns_file.yaml b/artifacts/live_response/packages/package_owns_file.yaml new file mode 100644 index 00000000..ed231c31 --- /dev/null +++ b/artifacts/live_response/packages/package_owns_file.yaml @@ -0,0 +1,97 @@ +version: 1.0 +condition: command_exists "dpkg" || command_exists "pacman" || command_exists "rpm" +output_directory: /live_response/packages +artifacts: + - + description: List filenames under /bin/. + supported_os: [linux] + collector: find + path: /bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /sbin/. + supported_os: [linux] + collector: find + path: /sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/bin/. + supported_os: [linux] + collector: find + path: /usr/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/sbin/. + supported_os: [linux] + collector: find + path: /usr/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/local/bin/. + supported_os: [linux] + collector: find + path: /usr/local/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /usr/local/sbin/. + supported_os: [linux] + collector: find + path: /usr/local/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /opt/bin/. + supported_os: [linux] + collector: find + path: /opt/bin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: List filenames under /opt/sbin/. + supported_os: [linux] + collector: find + path: /opt/sbin/* + file_type: [f, l] + output_directory: /%temp_directory%/live_response/packages + output_file: binary_files.txt + - + description: Determine which installed package owns a specific file or command. + supported_os: [linux] + collector: command + condition: command_exists "dpkg" + foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt + command: dpkg -S "%line%" + output_directory: /live_response/packages + output_file: dpkg_-S.txt + redirect_stderr_to_stdout: true + - + description: Determine which installed package owns a specific file or command. + supported_os: [linux] + collector: command + condition: command_exists "pacman" + foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt + command: pacman -Q -o "%line%" + output_directory: /live_response/packages + output_file: pacman_-Q_-o.txt + redirect_stderr_to_stdout: true + - + description: Determine which installed package owns a specific file or command. + supported_os: [linux] + collector: command + condition: command_exists "rpm" + foreach: sort -u /%temp_directory%/live_response/packages/binary_files.txt + command: rpm -q -f "%line%" | sed -e "s|$|: %line%|" + output_directory: /live_response/packages + output_file: rpm_-q_-f.txt diff --git a/artifacts/live_response/packages/rpm.yaml b/artifacts/live_response/packages/rpm.yaml index 0d08c7cd..cd172e40 100644 --- a/artifacts/live_response/packages/rpm.yaml +++ b/artifacts/live_response/packages/rpm.yaml @@ -1,4 +1,4 @@ -version: 3.1 +version: 3.0 condition: command_exists "rpm" output_directory: /live_response/packages artifacts: @@ -20,75 +20,3 @@ artifacts: collector: command command: rpm -V -a output_file: rpm_-V_-a.txt - - - description: List filenames under /usr/sbin/. - supported_os: [aix, linux] - collector: find - path: /usr/sbin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/bin/. - supported_os: [aix, linux] - collector: find - path: /usr/bin/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib/. - supported_os: [aix, linux] - collector: find - path: /usr/lib/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib32/. - supported_os: [aix, linux] - collector: find - path: /usr/lib32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/lib64/. - supported_os: [aix, linux] - collector: find - path: /usr/lib64/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/libx32/. - supported_os: [aix, linux] - collector: find - path: /usr/libx32/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /opt/. - supported_os: [aix, linux] - collector: find - path: /opt/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: List filenames under /usr/local/. - supported_os: [aix, linux] - collector: find - path: /usr/local/* - file_type: [f, l] - output_directory: /%temp_directory%/live_response/packages - output_file: binary_files.txt - - - description: Search for a filename from installed packages. - supported_os: [aix, linux] - collector: command - foreach: cat /%temp_directory%/live_response/packages/binary_files.txt - command: rpm -q -f "%line%" | sed 's|$|: %line%|' - output_directory: /live_response/packages - output_file: rpm_-q_-f.txt diff --git a/profiles/full.yaml b/profiles/full.yaml index 1bdaaceb..49c02a3c 100644 --- a/profiles/full.yaml +++ b/profiles/full.yaml @@ -20,6 +20,7 @@ artifacts: - live_response/system/* - live_response/hardware/* - live_response/packages/* + - !live_response/packages/package_owns_file.yaml - live_response/storage/* - live_response/containers/* - live_response/vms/* diff --git a/profiles/ir_triage.yaml b/profiles/ir_triage.yaml index f0008c80..c1fdecbd 100644 --- a/profiles/ir_triage.yaml +++ b/profiles/ir_triage.yaml @@ -20,6 +20,7 @@ artifacts: - live_response/system/* - live_response/hardware/* - live_response/packages/* + - !live_response/packages/package_owns_file.yaml - live_response/storage/* - live_response/containers/* - live_response/vms/* From 023da27a88834b36b672feabf5371da6011bbc25 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Sat, 30 Nov 2024 08:15:00 -0300 Subject: [PATCH 07/23] artif: changes to coredump artifact Changes to coredump and ulimit artifacts. --- artifacts/live_response/system/ulimit.yaml | 6 +++--- .../system => memory_dump}/coredump.yaml | 18 ++++++++++++++---- 2 files changed, 17 insertions(+), 7 deletions(-) rename artifacts/{files/system => memory_dump}/coredump.yaml (54%) diff --git a/artifacts/live_response/system/ulimit.yaml b/artifacts/live_response/system/ulimit.yaml index 9ffc5b89..02635764 100644 --- a/artifacts/live_response/system/ulimit.yaml +++ b/artifacts/live_response/system/ulimit.yaml @@ -1,10 +1,10 @@ version: 1.0 +condition: command_exists "ulimit" output_directory: /live_response/system artifacts: - description: Display all resource limits. - supported_os: [aix, esxi, freebsd, linux, netbsd, openbsd, solaris] + supported_os: [all] collector: command - condition: command_exists "ulimit" command: ulimit -a - output_file: ulimit.txt + output_file: ulimit_-a.txt diff --git a/artifacts/files/system/coredump.yaml b/artifacts/memory_dump/coredump.yaml similarity index 54% rename from artifacts/files/system/coredump.yaml rename to artifacts/memory_dump/coredump.yaml index b3d885fe..2a4cc8b7 100644 --- a/artifacts/files/system/coredump.yaml +++ b/artifacts/memory_dump/coredump.yaml @@ -1,11 +1,16 @@ version: 1.0 artifacts: - - description: Collect core dump files. - supported_os: [aix, esxi, freebsd, linux, netbsd, openbsd, solaris] + description: Collect core dump files from /var/core/. + supported_os: [esxi] collector: file - path: / - name_pattern: ["core", "core.*", "*.core"] + path: /var/core/* + - + description: Collect core dump files from /var/lib/systemd/. + supported_os: [linux] + collector: file + path: /var/lib/systemd/coredump + name_pattern: ["core.*"] file_type: [f] - description: Collect ABRT files. @@ -27,3 +32,8 @@ artifacts: supported_os: [linux] collector: file path: /var/crash + - + description: Collect core dump files from /stand/*/*/modules/coredump/. + supported_os: [netbsd] + collector: file + path: /stand/*/*/modules/coredump/* \ No newline at end of file From 0a327a4a7c7ed7d65bebfa44e45f5225460b2ed1 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Sat, 30 Nov 2024 08:24:27 -0300 Subject: [PATCH 08/23] refactor: new artifacts --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fd660e1e..7798184f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,12 @@ ## DEVELOPMENT VERSION +### Artifacts + +- live_response/system/coredump.yaml: Added collection of core dump files information [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/system/ulimit.yaml: Added collection of all resource limits information [all] ([mnrkbys](https://github.com/mnrkbys)). +- memory_dump/coredump.yaml: Added collection of core dump, ABRT, Apport, and kdump files [esxi, linux, netbsd] ([mnrkbys](https://github.com/mnrkbys)). + ### New Artifacts Properties - Added the new 'redirect_stderr_to_stdout' property, an optional feature available exclusively for the command collector. When set to true, this property redirects all error messages (stderr) to standard output (stdout), ensuring they are written to the output file. From d229caba13d7e865dbd6d037d5d8156983e507e3 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Sat, 30 Nov 2024 09:14:17 -0300 Subject: [PATCH 09/23] refactor: added new artifact to CHANGELOG --- CHANGELOG.md | 4 ++++ artifacts/live_response/system/getcap.yaml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fd660e1e..bc756362 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ ## DEVELOPMENT VERSION +### Artifacts + +- live_response/system/getcap.yaml: Added functionality to collect the list of files with associated process capabilities [linux] ([mnrkbys](https://github.com/mnrkbys)). + ### New Artifacts Properties - Added the new 'redirect_stderr_to_stdout' property, an optional feature available exclusively for the command collector. When set to true, this property redirects all error messages (stderr) to standard output (stdout), ensuring they are written to the output file. diff --git a/artifacts/live_response/system/getcap.yaml b/artifacts/live_response/system/getcap.yaml index 5d230155..2dcaa7f8 100644 --- a/artifacts/live_response/system/getcap.yaml +++ b/artifacts/live_response/system/getcap.yaml @@ -9,5 +9,5 @@ artifacts: supported_os: [linux] collector: command foreach: ls -d /* | grep -vE '^/(proc|sys|dev|boot|run|swapfile)$' - command: getcap -r %line% + command: getcap -r "%line%"/* output_file: getcap_-r.txt From 884859e3c6625eba3121a6256e78ee4fe7ec0d60 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Sat, 30 Nov 2024 09:57:32 -0300 Subject: [PATCH 10/23] artif: new artifacts --- CHANGELOG.md | 2 ++ artifacts/files/system/etc.yaml | 4 +++ artifacts/files/system/upstart.yaml | 25 +++++++++++++++++++ artifacts/files/system/xdg_autostart.yaml | 30 +++++++++++++++++++++++ 4 files changed, 61 insertions(+) create mode 100644 artifacts/files/system/upstart.yaml create mode 100644 artifacts/files/system/xdg_autostart.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index bc756362..7301c47b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ ### Artifacts +- files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux]. +- files/system/xdg_autostart.yaml: Added collection of system-wide and user-specific XDG autostart files [linux]. - live_response/system/getcap.yaml: Added functionality to collect the list of files with associated process capabilities [linux] ([mnrkbys](https://github.com/mnrkbys)). ### New Artifacts Properties diff --git a/artifacts/files/system/etc.yaml b/artifacts/files/system/etc.yaml index dd3292c8..c4ad2726 100644 --- a/artifacts/files/system/etc.yaml +++ b/artifacts/files/system/etc.yaml @@ -23,3 +23,7 @@ artifacts: exclude_name_pattern: ["shadow", "shadow-"] file_type: [f] ignore_date_range: true + +# References: +# https://www.elastic.co/security-labs/primer-on-persistence-mechanisms +# https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms \ No newline at end of file diff --git a/artifacts/files/system/upstart.yaml b/artifacts/files/system/upstart.yaml new file mode 100644 index 00000000..4ce633a4 --- /dev/null +++ b/artifacts/files/system/upstart.yaml @@ -0,0 +1,25 @@ +version: 1.0 +artifacts: + - + description: Collect system-wide Upstart configuration files. + supported_os: [linux] + collector: file + path: /etc/init + - + description: Collect system-wide Upstart configuration files. + supported_os: [linux] + collector: file + path: /etc/xdg/upstart + - + description: Collect system-wide Upstart configuration files. + supported_os: [linux] + collector: file + path: /usr/share/upstart/sessions + - + description: Collect user-session Upstart configuration files. + supported_os: [linux] + collector: file + path: /%user_home%/.config/upstart + +# References: +# https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms \ No newline at end of file diff --git a/artifacts/files/system/xdg_autostart.yaml b/artifacts/files/system/xdg_autostart.yaml new file mode 100644 index 00000000..82cb486b --- /dev/null +++ b/artifacts/files/system/xdg_autostart.yaml @@ -0,0 +1,30 @@ +version: 1.0 +artifacts: + - + description: Collect system-wide XDG autostart files. + supported_os: [linux] + collector: file + path: /etc/xdg/autostart + - + description: Collect system-wide XDG autostart files. + supported_os: [linux] + collector: file + path: /usr/share/autostart + - + description: Collect user-specific XDG autostart files. + supported_os: [linux] + collector: file + path: /%user_home%/.config/autostart + - + description: Collect user-specific XDG autostart files. + supported_os: [linux] + collector: file + path: /%user_home%/.local/share/autostart + - + description: Collect user-specific XDG autostart files (not part of XDG standard, but used by KDE). + supported_os: [linux] + collector: file + path: /%user_home%/.config/autostart-scripts + +# References: +# https://www.elastic.co/security-labs/primer-on-persistence-mechanisms \ No newline at end of file From 66390146efce1b419fc984382afac3f5636a6f4b Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Fri, 6 Dec 2024 20:21:28 -0300 Subject: [PATCH 11/23] artif: new artifacts New artifacts mostly related to most recent used files by applications. --- CHANGELOG.md | 10 ++++ artifacts/files/applications/ark.yaml | 28 ++++++++++ artifacts/files/applications/dolphin.yaml | 27 ++++++++++ .../files/applications/dragon_player.yaml | 27 ++++++++++ artifacts/files/applications/geany.yaml | 32 +++++++++++ artifacts/files/applications/gedit.yaml | 30 +++++++++++ .../files/applications/gnome_text_editor.yaml | 27 ++++++++++ .../files/applications/google_earth.yaml | 7 +++ artifacts/files/applications/gwenview.yaml | 27 ++++++++++ artifacts/files/applications/katesession.yaml | 28 ++++++++++ artifacts/files/applications/okular.yaml | 54 +++++++++++++++++++ artifacts/files/system/gvfs_metadata.yaml | 10 ++++ artifacts/files/system/kactivitymanagerd.yaml | 10 ++++ 13 files changed, 317 insertions(+) create mode 100644 artifacts/files/applications/ark.yaml create mode 100644 artifacts/files/applications/dolphin.yaml create mode 100644 artifacts/files/applications/dragon_player.yaml create mode 100644 artifacts/files/applications/geany.yaml create mode 100644 artifacts/files/applications/gedit.yaml create mode 100644 artifacts/files/applications/gnome_text_editor.yaml create mode 100644 artifacts/files/applications/gwenview.yaml create mode 100644 artifacts/files/applications/katesession.yaml create mode 100644 artifacts/files/applications/okular.yaml create mode 100644 artifacts/files/system/gvfs_metadata.yaml create mode 100644 artifacts/files/system/kactivitymanagerd.yaml diff --git a/CHANGELOG.md b/CHANGELOG.md index 969bccc0..c0148954 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,16 @@ ### Artifacts +- files/applications/ark.yaml: Added collection of metadata about recently opened archive files in Ark, the KDE archive manager [freebsd, linux, netbsd, openbsd]. +- files/applications/dolphin.yaml: Added collection of session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations [freebsd, linux, netbsd, openbsd]. +- files/applications/dragon_player.yaml: Added collection of paths to recently opened video files using the Dragon Player [freebsd, linux, netbsd, openbsd]. +- files/applications/geany.yaml: Added collection of metadata about recently opened files in Geany text editor [freebsd, linux, netbsd, openbsd]. +- files/applications/gedit.yaml: Added collection of metadata about recently opened files in Gedit text editor [freebsd, linux, netbsd, openbsd]. +- files/applications/gnome_text_editor.yaml: Added collection of metadata about recently opened files in Gnome Text Editor [freebsd, linux, netbsd, openbsd]. +- files/applications/katesession.yaml: Added colleection of metadata about recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd]. +- files/applications/okular.yaml: Added collection of metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd]. +- files/system/gvfs_metadata.yaml: Added collection of data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd]. +- files/system/kactivitymanagerd.yaml: Added collection of activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd]. - files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux]. - files/system/xdg_autostart.yaml: Added collection of system-wide and user-specific XDG autostart files [linux]. - live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)). diff --git a/artifacts/files/applications/ark.yaml b/artifacts/files/applications/ark.yaml new file mode 100644 index 00000000..b74ab048 --- /dev/null +++ b/artifacts/files/applications/ark.yaml @@ -0,0 +1,28 @@ +version: 1.0 +artifacts: + - + description: Collect metadata about recently opened archive files in Ark, the KDE archive manager. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share + name_pattern: ["ark_recentfiles"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened archive files in Ark, the KDE archive manager (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["ark_recentfiles"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened archive files in Ark, the KDE archive manager (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["ark_recentfiles"] + file_type: [f] + exclude_nologin_users: true + + \ No newline at end of file diff --git a/artifacts/files/applications/dolphin.yaml b/artifacts/files/applications/dolphin.yaml new file mode 100644 index 00000000..1d384692 --- /dev/null +++ b/artifacts/files/applications/dolphin.yaml @@ -0,0 +1,27 @@ +version: 1.0 +artifacts: + - + description: Collect session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.config + name_pattern: ["dolphin_dolphin_dolphin"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["dolphin_dolphin_dolphin"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["dolphin_dolphin_dolphin"] + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/applications/dragon_player.yaml b/artifacts/files/applications/dragon_player.yaml new file mode 100644 index 00000000..ef11cdc1 --- /dev/null +++ b/artifacts/files/applications/dragon_player.yaml @@ -0,0 +1,27 @@ +version: 1.0 +artifacts: + - + description: Collect the paths to recently opened video files using the Dragon Player. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.config + name_pattern: ["dragonplayerrc"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect the paths to recently opened video files using the Dragon Player (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["dragonplayerrc"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect the paths to recently opened video files using the Dragon Player (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["dragonplayerrc"] + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/applications/geany.yaml b/artifacts/files/applications/geany.yaml new file mode 100644 index 00000000..118b13ec --- /dev/null +++ b/artifacts/files/applications/geany.yaml @@ -0,0 +1,32 @@ +version: 1.0 +artifacts: + - + description: Collect metadata about recently opened files in Geany text editor. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.config/geany + name_pattern: ["session.conf"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Geany text editor (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + path_pattern: ["*/config/geany/*"] + name_pattern: ["session.conf"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Geany text editor (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + path_pattern: ["*/.config/geany/*"] + name_pattern: ["session.conf"] + file_type: [f] + exclude_nologin_users: true + + + + \ No newline at end of file diff --git a/artifacts/files/applications/gedit.yaml b/artifacts/files/applications/gedit.yaml new file mode 100644 index 00000000..765646fa --- /dev/null +++ b/artifacts/files/applications/gedit.yaml @@ -0,0 +1,30 @@ +version: 1.0 +artifacts: + - + description: Collect metadata about recently opened files in Gedit text editor. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share + name_pattern: ["gedit-metadata.xml"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Gedit text editor (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["gedit-metadata.xml"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Gedit text editor (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["gedit-metadata.xml"] + file_type: [f] + exclude_nologin_users: true + + + + \ No newline at end of file diff --git a/artifacts/files/applications/gnome_text_editor.yaml b/artifacts/files/applications/gnome_text_editor.yaml new file mode 100644 index 00000000..38cc5239 --- /dev/null +++ b/artifacts/files/applications/gnome_text_editor.yaml @@ -0,0 +1,27 @@ +version: 1.0 +artifacts: + - + description: Collect metadata about recently opened files in Gnome Text Editor. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share + name_pattern: ["session.gvariant"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Gnome Text Editor (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["session.gvariant"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Gnome Text Editor (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["session.gvariant"] + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/applications/google_earth.yaml b/artifacts/files/applications/google_earth.yaml index 344f6647..ee94c4f3 100644 --- a/artifacts/files/applications/google_earth.yaml +++ b/artifacts/files/applications/google_earth.yaml @@ -7,6 +7,13 @@ artifacts: path: /%user_home%/.googleearth name_pattern: ["*.kml"] exclude_nologin_users: true + - + description: Collect Google Earth KML files (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["*.kml"] + exclude_nologin_users: true - description: Collect Google Earth KML files. supported_os: [macos] diff --git a/artifacts/files/applications/gwenview.yaml b/artifacts/files/applications/gwenview.yaml new file mode 100644 index 00000000..468d6393 --- /dev/null +++ b/artifacts/files/applications/gwenview.yaml @@ -0,0 +1,27 @@ +version: 1.0 +artifacts: + - + description: Collect the paths to recently viewed or edited images using Gwenview image viewer. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.config + name_pattern: ["gwenviewrc"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect the paths to recently viewed or edited images using Gwenview image viewer (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["gwenviewrc"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect the paths to recently viewed or edited images using Gwenview image viewer (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["gwenviewrc"] + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/applications/katesession.yaml b/artifacts/files/applications/katesession.yaml new file mode 100644 index 00000000..b0c80a7e --- /dev/null +++ b/artifacts/files/applications/katesession.yaml @@ -0,0 +1,28 @@ +version: 1.0 +artifacts: + - + description: Collect metadata about recently opened files in Kwrite and Kate text editors. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share + name_pattern: ["anonymous.katesession"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Kwrite and Kate text editors (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + name_pattern: ["anonymous.katesession"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect metadata about recently opened files in Kwrite and Kate text editors (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + name_pattern: ["anonymous.katesession"] + file_type: [f] + exclude_nologin_users: true + + \ No newline at end of file diff --git a/artifacts/files/applications/okular.yaml b/artifacts/files/applications/okular.yaml new file mode 100644 index 00000000..e2b02a03 --- /dev/null +++ b/artifacts/files/applications/okular.yaml @@ -0,0 +1,54 @@ +version: 1.0 +artifacts: + - + description: Collect metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share + path_pattern: ["*/okular/docdata/*"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect Okular configuration file. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.config + name_pattern: ["okularrc"] + file_type: [f] + ignore_date_range: true + exclude_nologin_users: true + - + description: Collect metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE (Flatpak version). + supported_os: [linux] + collector: file + path: /%user_home%/.var/app + path_pattern: ["*/okular/docdata/*"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect Okular configuration file (Flatpak version). + supported_os: [linuxsd] + collector: file + path: /%user_home%/.var/app + name_pattern: ["okularrc"] + file_type: [f] + ignore_date_range: true + exclude_nologin_users: true + - + description: Collect metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE (Snap version). + supported_os: [linux] + collector: file + path: /%user_home%/snap + path_pattern: ["*/okular/docdata/*"] + file_type: [f] + exclude_nologin_users: true + - + description: Collect Okular configuration file (Snap version). + supported_os: [linuxsd] + collector: file + path: /%user_home%/snap + name_pattern: ["okularrc"] + file_type: [f] + ignore_date_range: true + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/system/gvfs_metadata.yaml b/artifacts/files/system/gvfs_metadata.yaml new file mode 100644 index 00000000..9cada497 --- /dev/null +++ b/artifacts/files/system/gvfs_metadata.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect data from the gvfs-metadata directory to retrieve user-specific metadata, such as local and remote file access details, custom properties, and interaction history. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share/gvfs-metadata + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file diff --git a/artifacts/files/system/kactivitymanagerd.yaml b/artifacts/files/system/kactivitymanagerd.yaml new file mode 100644 index 00000000..a1edd047 --- /dev/null +++ b/artifacts/files/system/kactivitymanagerd.yaml @@ -0,0 +1,10 @@ +version: 1.0 +artifacts: + - + description: Collect activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources. + supported_os: [freebsd, linux, netbsd, openbsd] + collector: file + path: /%user_home%/.local/share/kactivitymanagerd/resources + file_type: [f] + exclude_nologin_users: true + \ No newline at end of file From a14baee8d43caadaf785b4ebe439ccf660122fac Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Fri, 6 Dec 2024 20:24:12 -0300 Subject: [PATCH 12/23] artif: fix supported_os --- artifacts/files/applications/okular.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/artifacts/files/applications/okular.yaml b/artifacts/files/applications/okular.yaml index e2b02a03..01f39d5b 100644 --- a/artifacts/files/applications/okular.yaml +++ b/artifacts/files/applications/okular.yaml @@ -27,7 +27,7 @@ artifacts: exclude_nologin_users: true - description: Collect Okular configuration file (Flatpak version). - supported_os: [linuxsd] + supported_os: [linux] collector: file path: /%user_home%/.var/app name_pattern: ["okularrc"] @@ -44,7 +44,7 @@ artifacts: exclude_nologin_users: true - description: Collect Okular configuration file (Snap version). - supported_os: [linuxsd] + supported_os: [linux] collector: file path: /%user_home%/snap name_pattern: ["okularrc"] From 68e9fc44c66f96361b1b8858420e62e5f3768de5 Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Sun, 8 Dec 2024 18:40:19 +0100 Subject: [PATCH 13/23] Update firefox.yaml --- artifacts/files/browsers/firefox.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts/files/browsers/firefox.yaml b/artifacts/files/browsers/firefox.yaml index 39a44b00..aae5e17d 100644 --- a/artifacts/files/browsers/firefox.yaml +++ b/artifacts/files/browsers/firefox.yaml @@ -13,7 +13,7 @@ artifacts: supported_os: [freebsd, linux] collector: file path: /%user_home%/.mozilla/firefox - name_pattern: ["bookmarkbackups", "sessionstore*"] + name_pattern: ["bookmarkbackups", "sessionstore*", "downloads.rdf"] file_type: [d] ignore_date_range: true exclude_nologin_users: true From af3f88b14d70e5b53c4d233d429d110b758acf94 Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Mon, 9 Dec 2024 14:04:05 +0900 Subject: [PATCH 14/23] artif: get findmnt and lsblk results in JSON format JSON format is easier to parse in scripts than plain text output. --- artifacts/live_response/storage/findmnt.yaml | 9 +++++++-- artifacts/live_response/storage/lsblk.yaml | 21 ++++++++++++++++++-- 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/artifacts/live_response/storage/findmnt.yaml b/artifacts/live_response/storage/findmnt.yaml index e744487b..f4a80e74 100644 --- a/artifacts/live_response/storage/findmnt.yaml +++ b/artifacts/live_response/storage/findmnt.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 2.1 condition: command_exists "findmnt" output_directory: /live_response/storage artifacts: @@ -8,4 +8,9 @@ artifacts: collector: command command: findmnt --ascii output_file: findmnt.txt - \ No newline at end of file + - + description: Displays all mounted file systems in the tree-like format as JSON. + supported_os: [linux] + collector: command + command: findmnt -J + output_file: findmnt_-J.txt diff --git a/artifacts/live_response/storage/lsblk.yaml b/artifacts/live_response/storage/lsblk.yaml index 2ba72e07..01c677cc 100644 --- a/artifacts/live_response/storage/lsblk.yaml +++ b/artifacts/live_response/storage/lsblk.yaml @@ -1,4 +1,4 @@ -version: 3.0 +version: 3.1 condition: command_exists "lsblk" output_directory: /live_response/storage artifacts: @@ -8,16 +8,33 @@ artifacts: collector: command command: lsblk output_file: lsblk.txt + - + description: List block devices as JSON. + supported_os: [linux] + collector: command + command: lsblk -J + output_file: lsblk_-J.txt - description: List block devices. supported_os: [linux] collector: command command: lsblk -l output_file: lsblk_-l.txt + - + description: List block devices as JSON. + supported_os: [linux] + collector: command + command: lsblk -l -J + output_file: lsblk_-l_-J.txt - description: List block devices including information about filesystems. supported_os: [linux] collector: command command: lsblk -f output_file: lsblk_-f.txt - \ No newline at end of file + - + description: List block devices including information about filesystems as JSON. + supported_os: [linux] + collector: command + command: lsblk -f -J + output_file: lsblk_-f_-J.txt From 5ab6346c24a871adfb421a6f632f3d7f4b5770ab Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Wed, 11 Dec 2024 07:51:42 -0300 Subject: [PATCH 15/23] Update firefox.yaml Adding downloads.rdf to the files artifact as it was being referred in the directories one (file_type: [d]). --- artifacts/files/browsers/firefox.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/artifacts/files/browsers/firefox.yaml b/artifacts/files/browsers/firefox.yaml index aae5e17d..69a40067 100644 --- a/artifacts/files/browsers/firefox.yaml +++ b/artifacts/files/browsers/firefox.yaml @@ -5,7 +5,7 @@ artifacts: supported_os: [freebsd, linux] collector: file path: /%user_home%/.mozilla/firefox - name_pattern: ["addons.*", "bookmarks.sqlite*", "cookies.sqlite*", "downloads.sqlite*", "extensions.json", "favicons.sqlite*", "firefox_cookies.sqlite*", "formhistory.sqlite*", "key*.db", "logins.json", "permissions.sqlite*", "places.sqlite*", "prefs.js", "protections.sqlite*", "search.sqlite*", "signon*.*", "signons.sqlite*", "storage-sync*.sqlite*", "webappstore.sqlite*"] + name_pattern: ["addons.*", "bookmarks.sqlite*", "cookies.sqlite*", "downloads.rdf", "downloads.sqlite*", "extensions.json", "favicons.sqlite*", "firefox_cookies.sqlite*", "formhistory.sqlite*", "key*.db", "logins.json", "permissions.sqlite*", "places.sqlite*", "prefs.js", "protections.sqlite*", "search.sqlite*", "signon*.*", "signons.sqlite*", "storage-sync*.sqlite*", "webappstore.sqlite*"] ignore_date_range: true exclude_nologin_users: true - @@ -13,7 +13,7 @@ artifacts: supported_os: [freebsd, linux] collector: file path: /%user_home%/.mozilla/firefox - name_pattern: ["bookmarkbackups", "sessionstore*", "downloads.rdf"] + name_pattern: ["bookmarkbackups", "sessionstore*"] file_type: [d] ignore_date_range: true exclude_nologin_users: true From 26be4542386fb5543aa49d4f235f924473d9aaeb Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Fri, 13 Dec 2024 07:54:26 +0100 Subject: [PATCH 16/23] Create paludis.yaml --- artifacts/live_response/packages/paludis.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 artifacts/live_response/packages/paludis.yaml diff --git a/artifacts/live_response/packages/paludis.yaml b/artifacts/live_response/packages/paludis.yaml new file mode 100644 index 00000000..17414802 --- /dev/null +++ b/artifacts/live_response/packages/paludis.yaml @@ -0,0 +1,11 @@ +version: 1.0 +condition: command_exists "cave" +output_directory: /live_response/packages +artifacts: + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: cave show installed-packages + output_file: paludis_query_list.txt + From 8466be6bb64ead2b2d5e6bb7645f65c276f96f8c Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Fri, 13 Dec 2024 07:58:59 +0100 Subject: [PATCH 17/23] Create conary.yaml --- artifacts/live_response/packages/conary.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 artifacts/live_response/packages/conary.yaml diff --git a/artifacts/live_response/packages/conary.yaml b/artifacts/live_response/packages/conary.yaml new file mode 100644 index 00000000..80f3f042 --- /dev/null +++ b/artifacts/live_response/packages/conary.yaml @@ -0,0 +1,11 @@ +version: 1.0 +condition: command_exists "conary" +output_directory: /live_response/packages +artifacts: + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: conary query + output_file: conary_query_list.txt + From fae6f5f652fd0d0e766b9e3a831b8a38063f5775 Mon Sep 17 00:00:00 2001 From: vPierre <72132223+Pierre-Gronau-ndaal@users.noreply.github.com> Date: Fri, 13 Dec 2024 08:15:04 +0100 Subject: [PATCH 18/23] Create portage.yaml --- artifacts/live_response/packages/portage.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 artifacts/live_response/packages/portage.yaml diff --git a/artifacts/live_response/packages/portage.yaml b/artifacts/live_response/packages/portage.yaml new file mode 100644 index 00000000..c5181d0a --- /dev/null +++ b/artifacts/live_response/packages/portage.yaml @@ -0,0 +1,11 @@ +version: 2.0 +condition: command_exists "equery" +output_directory: /live_response/packages +artifacts: + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: equery list '*' + output_file: portage_query_list.txt + From 2d80edffb8956102c28a925ebcfddd722f5a4d2d Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Mon, 16 Dec 2024 20:25:08 -0300 Subject: [PATCH 19/23] artif: new artifact Added collection of the list of installed packages managed by the Conary package manager. --- CHANGELOG.md | 1 + artifacts/live_response/packages/conary.yaml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c0148954..cf97f7a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ - files/system/kactivitymanagerd.yaml: Added collection of activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd]. - files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux]. - files/system/xdg_autostart.yaml: Added collection of system-wide and user-specific XDG autostart files [linux]. +- live_response/packages/conary.yaml: Added collection of the list of installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/system/coredump.yaml: Added collection of core dump files information [linux] ([mnrkbys](https://github.com/mnrkbys)). diff --git a/artifacts/live_response/packages/conary.yaml b/artifacts/live_response/packages/conary.yaml index 80f3f042..c9e71134 100644 --- a/artifacts/live_response/packages/conary.yaml +++ b/artifacts/live_response/packages/conary.yaml @@ -7,5 +7,5 @@ artifacts: supported_os: [linux] collector: command command: conary query - output_file: conary_query_list.txt - + output_file: conary_query.txt + \ No newline at end of file From 2eae9a3ef4063ef03c7d367da8d2cf03a9c27702 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Tue, 17 Dec 2024 08:15:05 -0300 Subject: [PATCH 20/23] refactor: new artifacts --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf97f7a3..93e2ca9a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,8 @@ - live_response/packages/conary.yaml: Added collection of the list of installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/storage/findmnt.yaml: Added JSON output format for listing all mounted file systems [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/storage/lsblk.yaml: Added JSON output format for listing block devices [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/system/coredump.yaml: Added collection of core dump files information [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/system/getcap.yaml: Added functionality to collect the list of files with associated process capabilities [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/system/ulimit.yaml: Added collection of all resource limits information [all] ([mnrkbys](https://github.com/mnrkbys)). From baa0389ff2b65da295f7cec245b5cde2b4749934 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Wed, 18 Dec 2024 08:03:45 -0300 Subject: [PATCH 21/23] artif: add downloads.rdf --- artifacts/files/browsers/firefox.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifacts/files/browsers/firefox.yaml b/artifacts/files/browsers/firefox.yaml index 69a40067..114c7155 100644 --- a/artifacts/files/browsers/firefox.yaml +++ b/artifacts/files/browsers/firefox.yaml @@ -1,4 +1,4 @@ -version: 4.0 +version: 4.1 artifacts: - description: Collect Firefox browser files. From 31078a6de390751660d55c5ba2d12241a564f4bb Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Thu, 19 Dec 2024 08:43:22 -0300 Subject: [PATCH 22/23] artif: new portage artifact --- CHANGELOG.md | 1 + artifacts/live_response/packages/portage.yaml | 12 +++++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93e2ca9a..18addf4a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ - live_response/packages/conary.yaml: Added collection of the list of installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/packages/portage.yaml: Added the collection of installed package lists using the Portage package management system [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/storage/findmnt.yaml: Added JSON output format for listing all mounted file systems [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/storage/lsblk.yaml: Added JSON output format for listing block devices [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/system/coredump.yaml: Added collection of core dump files information [linux] ([mnrkbys](https://github.com/mnrkbys)). diff --git a/artifacts/live_response/packages/portage.yaml b/artifacts/live_response/packages/portage.yaml index c5181d0a..e91b107d 100644 --- a/artifacts/live_response/packages/portage.yaml +++ b/artifacts/live_response/packages/portage.yaml @@ -1,4 +1,4 @@ -version: 2.0 +version: 1.0 condition: command_exists "equery" output_directory: /live_response/packages artifacts: @@ -7,5 +7,11 @@ artifacts: supported_os: [linux] collector: command command: equery list '*' - output_file: portage_query_list.txt - + output_file: equery_list.txt + - + description: Display installed packages. + supported_os: [linux] + collector: command + command: cat /var/lib/portage/world + output_file: cat_var_lib_portage_world.txt + \ No newline at end of file From 85b8a0481dec67bbb1e46e0594e18eca961a18a5 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Fri, 20 Dec 2024 19:20:53 -0300 Subject: [PATCH 23/23] artif: new paludis artifact --- CHANGELOG.md | 1 + artifacts/live_response/packages/paludis.yaml | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 18addf4a..1de2abb3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ - live_response/packages/conary.yaml: Added collection of the list of installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)). +- live_response/packages/paludis.yaml: Added collection of the list of installed packages managed by the Paludis package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/packages/portage.yaml: Added the collection of installed package lists using the Portage package management system [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)). - live_response/storage/findmnt.yaml: Added JSON output format for listing all mounted file systems [linux] ([mnrkbys](https://github.com/mnrkbys)). - live_response/storage/lsblk.yaml: Added JSON output format for listing block devices [linux] ([mnrkbys](https://github.com/mnrkbys)). diff --git a/artifacts/live_response/packages/paludis.yaml b/artifacts/live_response/packages/paludis.yaml index 17414802..1a3af98e 100644 --- a/artifacts/live_response/packages/paludis.yaml +++ b/artifacts/live_response/packages/paludis.yaml @@ -7,5 +7,4 @@ artifacts: supported_os: [linux] collector: command command: cave show installed-packages - output_file: paludis_query_list.txt - + output_file: cave_show_installed-packages.txt