Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

list immutable files on linux systems #324

Merged
merged 2 commits into from
Jan 27, 2025
Merged

list immutable files on linux systems #324

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ebbf64a
artif: new artifact
tclahr Jan 25, 2025
3f576c0
Merge branch 'develop' into list-immutable-files-on-linux
tclahr Jan 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 31 additions & 30 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,40 +4,41 @@

### Artifacts

- chkrootkit/hidden_etc_ld_so_preload.yaml: Added collection of hidden /etc/ld.so.preload using debugfs and xfs_db tools [linux] ([mnrkbys](https://github.com/mnrkbys)).
- files/applications/ark.yaml: Added collection of metadata about recently opened archive files in Ark, the KDE archive manager [freebsd, linux, netbsd, openbsd].
- files/applications/atftp.yaml: Added collection of atftp history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/applications/dolphin.yaml: Added collection of session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations [freebsd, linux, netbsd, openbsd].
- files/applications/dragon_player.yaml: Added collection of paths to recently opened video files using the Dragon Player [freebsd, linux, netbsd, openbsd].
- files/applications/geany.yaml: Added collection of metadata about recently opened files in Geany text editor [freebsd, linux, netbsd, openbsd].
- files/applications/gedit.yaml: Added collection of metadata about recently opened files in Gedit text editor [freebsd, linux, netbsd, openbsd].
- files/applications/gnome_text_editor.yaml: Added collection of metadata about recently opened files in Gnome Text Editor [freebsd, linux, netbsd, openbsd].
- files/applications/katesession.yaml: Added colleection of metadata about recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd].
- files/applications/nano.yaml: Added collection of nano history file [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/applications/okular.yaml: Added collection of metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd].
- files/applications/php.yaml: Added collection of PHP history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/logs/macos_unified_logs.yaml: Updated to include the collection of ASL logs [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/system/gvfs_metadata.yaml: Added collection of data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd].
- files/system/kactivitymanagerd.yaml: Added collection of activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd].
- files/system/upstart.yaml: Added collection of system-wide and user-session Upstart configuration files [linux].
- files/system/xdg_autostart.yaml: Added collection of system-wide and user-specific XDG autostart files [linux].
- live_response/packages/0install.yaml: Added collection of the list of installed packages managed by Zero Install package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/apk.yaml: Added collection of the list of installed packages managed by the apk package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/cargo.yaml: Added collection of the list of installed packages managed by the cargo package manager [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/conary.yaml: Added collection of the list of installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- chkrootkit/hidden_etc_ld_so_preload.yaml: Added collection support for hidden /etc/ld.so.preload using debugfs and xfs_db tools [linux] ([mnrkbys](https://github.com/mnrkbys)).
- files/applications/ark.yaml: Added collection support for metadata from recently opened archive files in Ark, the KDE archive manager [freebsd, linux, netbsd, openbsd].
- files/applications/atftp.yaml: Added collection support for atftp history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/applications/dolphin.yaml: Added collection support for session data for the Dolphin file manager in the KDE desktop environment. This file contains information about the state of the Dolphin application, such as the currently open directories and their paths and the last accessed locations [freebsd, linux, netbsd, openbsd].
- files/applications/dragon_player.yaml: Added collection support for paths to recently opened video files using the Dragon Player [freebsd, linux, netbsd, openbsd].
- files/applications/geany.yaml: Added collection support for metadata from recently opened files in Geany text editor [freebsd, linux, netbsd, openbsd].
- files/applications/gedit.yaml: Added collection support for metadata from recently opened files in Gedit text editor [freebsd, linux, netbsd, openbsd].
- files/applications/gnome_text_editor.yaml: Added collection support for metadata from recently opened files in Gnome Text Editor [freebsd, linux, netbsd, openbsd].
- files/applications/katesession.yaml: Added collection support for metadata from recently opened files in Kwrite and Kate text editors [freebsd, linux, netbsd, openbsd].
- files/applications/nano.yaml: Added collection support for nano history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/applications/okular.yaml: Added collection support for metadata related to documents that have been opened or interacted with using Okular, a document viewer for KDE [freebsd, linux, netbsd, openbsd].
- files/applications/php.yaml: Added collection support for PHP history files [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/logs/macos_unified_logs.yaml: Updated to support the collection for ASL logs [macos] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- files/system/gvfs_metadata.yaml: Added collection support for data from the gvfs-metadata directory to retrieve user-specific metadata, such as file access details, custom properties, and interaction history [freebsd, linux, netbsd, openbsd].
- files/system/kactivitymanagerd.yaml: Added collection support for activity tracking data used by KActivityManager (part of KDE) to track and manage user activities, such as recently opened files, applications, and other resources [freebsd, linux, netbsd, openbsd].
- files/system/upstart.yaml: Added collection support for system-wide and user-session Upstart configuration files [linux].
- files/system/xdg_autostart.yaml: Added collection support for system-wide and user-specific XDG autostart files [linux].
- live_response/packages/0install.yaml: Added collection support for listing installed packages managed by Zero Install package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/apk.yaml: Added collection support for listing installed packages managed by the apk package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/cargo.yaml: Added collection support for listing installed packages managed by the cargo package manager [all] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/conary.yaml: Added collection support for listing installed packages managed by the Conary package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/dpkg.yaml: Updated to verify all packages to compare information about the installed files in the package with information about the files taken from the package metadata stored in the dpkg database [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/packages/package_owns_file.yaml: Added collection of which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/packages/paludis.yaml: Added collection of the list of installed packages managed by the Paludis package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/portage.yaml: Added the collection of installed package lists using the Portage package management system [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/slackpkg.yaml: Added collection of the list of installed and upgradable packages managed by slackpkg package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/snap.yaml: Updated collection to display installed packages including all revisions [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/package_owns_file.yaml: Added collection support for which installed package owns a specific file or command. Note that this artifact is resource-intensive and time-consuming to execute, so it is disabled by default in all profiles [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/packages/paludis.yaml: Added collection support for listing installed packages managed by the Paludis package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/portage.yaml: Added collection support for listing installed packages managed by the Portage package management system [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/slackpkg.yaml: Added collection support for listing installed and upgradable packages managed by slackpkg package manager [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/packages/snap.yaml: Updated to display installed packages including all revisions [linux] (by [Pierre-Gronau-ndaal](https://github.com/Pierre-Gronau-ndaal)).
- live_response/storage/findmnt.yaml: Added JSON output format for listing all mounted file systems [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/storage/lsblk.yaml: Added JSON output format for listing block devices [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/coredump.yaml: Added collection of core dump files information [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/coredump.yaml: Added collection support for core dump files information [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/getcap.yaml: Added functionality to collect the list of files with associated process capabilities [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/journalctl.yaml: Added collection of listing of time periods between boots [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/ulimit.yaml: Added collection of all resource limits information [all] ([mnrkbys](https://github.com/mnrkbys)).
- memory_dump/coredump.yaml: Added collection of core dump, ABRT, Apport, and kdump files [esxi, linux, netbsd] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/immutable_files.yaml: Added collection support for listing immutable files [linux].
- live_response/system/journalctl.yaml: Added collection support for listing time periods between boots [linux] ([mnrkbys](https://github.com/mnrkbys)).
- live_response/system/ulimit.yaml: Added collection support for all resource limits information [all] ([mnrkbys](https://github.com/mnrkbys)).
- memory_dump/coredump.yaml: Added collection support for core dump, ABRT, Apport, and kdump files [esxi, linux, netbsd] ([mnrkbys](https://github.com/mnrkbys)).

### Profiles

Expand Down
59 changes: 59 additions & 0 deletions artifacts/live_response/system/immutable_files.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
version: 1.0
condition: command_exists "lsattr"
output_directory: /live_response/system
artifacts:
-
description: List immutable files under / directory (no recursion, top-level only).
supported_os: [linux]
collector: command
command: lsattr / | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under system binary directories (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under /dev directory (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /dev | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under /etc directory (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /etc | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under user home directories (no recursion, top-level only).
supported_os: [linux]
collector: command
command: lsattr /%user_home% /%user_home%/.ssh /%user_home%/.*history | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
exclude_nologin_users: true
output_file: immutable_files.txt
-
description: List immutable files under system library directories (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /lib /lib32 /lib64 /usr/lib /usr/lib32 /usr/lib64 /var/lib | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under /run directories (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /run /var/run | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under /tmp directories (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /tmp /var/tmp /run/tmp | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
-
description: List immutable files under /user/local directories (recursively).
supported_os: [linux]
collector: command
command: lsattr -R /usr/local | awk '{if ($1 ~ /i/ && $1 !~ /^\\//) print $0}'
output_file: immutable_files.txt
Loading