Skip to content

Commit

Permalink
artif: new artifact
Browse files Browse the repository at this point in the history 
Added collection support for listing immutable files on linux systems.
  • Loading branch information
@tclahr
tclahr committed Jan 25, 2025
1 parent 653c3b9 commit ebbf64a
Show file tree
Hide file tree
Showing 2 changed files with 89 additions and 29 deletions.
59 changes: 30 additions & 29 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,39 +4,40 @@

### Artifacts

- chkrootkit/hidden_etc_ld_so_preload.yaml: Added collection of hidden /etc/ld.so.preload using debugfs and xfs_db tools [linux] ([mnrkbys](https://github.com/mnrkbys)).
- files/applications/ark.yaml: Added collection of metadata about recently opened archive files in Ark, the KDE archive manager [freebsd, linux, netbsd, openbsd].
- files/applications/atftp.yaml: Added collection of atftp history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/applications/dolphin.yaml: Added collection of session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations [freebsd, linux, netbsd, openbsd].
- files/applications/dragon_player.yaml: Added collection of paths to recently opened video files using the Dragon Player [freebsd, linux, netbsd, openbsd].
- files/applications/geany.yaml: Added collection of metadata about recently opened files in Geany text editor [freebsd, linux, netbsd, openbsd].
- files/applications/gedit.yaml: Added collection of metadata about recently opened files in Gedit text editor [freebsd, linux, netbsd, openbsd].
- files/applications/gnome_text_editor.yaml: Added collection of metadata about recently opened files in Gnome Text Editor [freebsd, linux, netbsd, openbsd].
- files/applications/katesession.yaml: Added colleection of metadata about recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd].
- files/applications/nano.yaml: Added collection of nano history file [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/applications/okular.yaml: Added collection of metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd].
- files/applications/php.yaml: Added collection of PHP history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/logs/macos_unified_logs.yaml: Updated to include the collection of ASL logs [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/system/gvfs_metadata.yaml: Added collection of data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd].
- files/system/kactivitymanagerd.yaml: Added collection of activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd].
- files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux].
- files/system/xdg_autostart.yaml: Added collection of system-wide and user-specific XDG autostart files [linux].
- live_response/packages/0install.yaml: Added collection of the list of installed packages managed by Zero Install package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/apk.yaml: Added collection of the list of installed packages managed by the apk package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/cargo.yaml: Added collection of the list of installed packages managed by the cargo package manager [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/conary.yaml: Added collection of the list of installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- chkrootkit/hidden_etc_ld_so_preload.yaml: Added collection support for hidden /etc/ld.so.preload using debugfs and xfs_db tools [linux] ([mnrkbys](https://github.com/mnrkbys)).
- files/applications/ark.yaml: Added collection support for metadata from recently opened archive files in Ark, the KDE archive manager [freebsd, linux, netbsd, openbsd].
- files/applications/atftp.yaml: Added collection support for atftp history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/applications/dolphin.yaml: Added collection support for session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations [freebsd, linux, netbsd, openbsd].
- files/applications/dragon_player.yaml: Added collection support for paths to recently opened video files using the Dragon Player [freebsd, linux, netbsd, openbsd].
- files/applications/geany.yaml: Added collection support for metadata from recently opened files in Geany text editor [freebsd, linux, netbsd, openbsd].
- files/applications/gedit.yaml: Added collection support for metadata from recently opened files in Gedit text editor [freebsd, linux, netbsd, openbsd].
- files/applications/gnome_text_editor.yaml: Added collection support for metadata from recently opened files in Gnome Text Editor [freebsd, linux, netbsd, openbsd].
- files/applications/katesession.yaml: Added collection support for metadata from recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd].
- files/applications/nano.yaml: Added collection support for nano history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/applications/okular.yaml: Added collection support for metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd].
- files/applications/php.yaml: Added collection support for PHP history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/logs/macos_unified_logs.yaml: Updated to support the collection for ASL logs [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/system/gvfs_metadata.yaml: Added collection support for data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd].
- files/system/kactivitymanagerd.yaml: Added collection support for activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd].
- files/system/upstart.yaml: Added collection support for system-wide and user-session Upstart configuration files [linux].
- files/system/xdg_autostart.yaml: Added collection support for system-wide and user-specific XDG autostart files [linux].
- live_response/packages/0install.yaml: Added collection support for listing installed packages managed by Zero Install package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/apk.yaml: Added collection support for listing installed packages managed by the apk package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/cargo.yaml: Added collection support for listing installed packages managed by the cargo package manager [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/conary.yaml: Added collection support for listing installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/packages/paludis.yaml: Added collection of the list of installed packages managed by the Paludis package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/portage.yaml: Added the collection of installed package lists using the Portage package management system [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/snap.yaml: Updated collection to display installed packages including all revisions [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/package_owns_file.yaml: Added collection support for which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/packages/paludis.yaml: Added collection support for listing installed packages managed by the Paludis package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/portage.yaml: Added collection support for listing installed packages managed by the Portage package management system [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/snap.yaml: Updated to display installed packages including all revisions [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/storage/findmnt.yaml: Added JSON output format for listing all mounted file systems [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/storage/lsblk.yaml: Added JSON output format for listing block devices [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/coredump.yaml: Added collection of core dump files information [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/coredump.yaml: Added collection support for core dump files information [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/getcap.yaml: Added functionality to collect the list of files with associated process capabilities [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/journalctl.yaml: Added collection of listing of time periods between boots [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/ulimit.yaml: Added collection of all resource limits information [all] ([mnrkbys](https://github.com/mnrkbys)).
- memory_dump/coredump.yaml: Added collection of core dump, ABRT, Apport, and kdump files [esxi, linux, netbsd] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/immutable_files.yaml: Added collection support for listing immutable files [linux].
- live_response/system/journalctl.yaml: Added collection support for listing time periods between boots [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/ulimit.yaml: Added collection support for all resource limits information [all] ([mnrkbys](https://github.com/mnrkbys)).
- memory_dump/coredump.yaml: Added collection support for core dump, ABRT, Apport, and kdump files [esxi, linux, netbsd] ([mnrkbys](https://github.com/mnrkbys)).

### Profiles

Expand Down
59 changes: 59 additions & 0 deletions artifacts/live_response/system/immutable_files.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
version: 1.0
condition: command_exists "lsattr"
output_directory: /live_response/system
artifacts:
-
description: List immutable files under / directory (no recursion, top-level only).
supported_os: [linux]
collector: command
command: lsattr / | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under system binary directories (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under /dev directory (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /dev | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under /etc directory (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /etc | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under user home directories (no recursion, top-level only).
supported_os: [linux]
collector: command
command: lsattr /%user_home% /%user_home%/.ssh /%user_home%/.*history | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
exclude_nologin_users: true
output_file: immutable_files.txt
-
description: List immutable files under system library directories (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /lib /lib32 /lib64 /usr/lib /usr/lib32 /usr/lib64 /var/lib | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under /run directories (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /run /var/run | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under /tmp directories (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /tmp /var/tmp /run/tmp | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under /user/local directories (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /usr/local | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt

0 comments on commit ebbf64a

Please sign in to comment.