Collect database configurations and upload them. Based on TriageDatabaseConfigsAndLogs from forensicartifacts.com
name: Linux.Collection.DBConfig
author: alternate
description: |
Collect database configurations and upload them.
Based on TriageDatabaseConfigsAndLogs from forensicartifacts.com
reference:
- https://github.com/ForensicArtifacts/artifacts/blob/main/data/triage.yaml
precondition: SELECT OS FROM info() WHERE OS = "linux"
parameters:
- name: MongoDBConfigurationFile
default: |
["/usr/local/etc/mongod.conf", "/opt/homebrew/etc/mongod.conf", "/etc/mongod.conf"]
- name: MongoDBLogFiles
default: /var/log/mongodb/mongod.log*
- name: MySQLConfigurationFiles
default: |
["/etc/my.cnf", "/etc/mysql/mysql.conf.d/mysqld.cnf"]
- name: MySQLLogFiles
default: |
["/var/log/mysql.log*", "/var/log/mysql/error.log*"]
- name: OpenSearchLogFiles
default: |
["/var/log/opensearch/*.json", "/var/log/opensearch/*.log"]
- name: PostgreSQLConfigurationFiles
default: |
["/etc/postgresql/*/*/pg_ident.conf", "/var/lib/pgsql/pg_hba.conf", "/var/lib/pgsql/data/pg_ident.conf",
"/etc/postgresql/*/*/postgresql.conf", "/var/lib/pgsql/pg_ident.conf", "/var/lib/pgsql/data/postgresql.conf",
"/etc/postgresql/*/*/pg_hba.conf", "/var/lib/pgsql/data/pg_hba.conf", "/var/lib/pgsql/postgresql.conf"]
- name: PostgreSQLLogFiles
default: |
["/var/log/postgresql/postgresql-*.log*", "/var/lib/pgsql/data/log/postgresql.csv*",
"/var/log/postgresql/postgresql.csv*", "/var/log/postgresql/postgresql-*-*.csv*",
"/var/log/postgresql/postgresql-*-*.log*", "/var/lib/pgsql/data/log/postgresql-*-*.csv*",
"/var/log/postgresql/postgresql-*.csv*", "/var/lib/pgsql/data/log/postgresql-*-*.log*",
"/var/lib/pgsql/data/log/postgresql-*.csv*", "/var/log/postgresql/postgresql.log*",
"/var/lib/pgsql/data/log/postgresql.log*", "/var/lib/pgsql/data/log/postgresql-*.log*"]
- name: RedisConfigFile
default: |
["/etc/redis/redis.conf", "/private/etc/redis/redis.conf"]
- name: RedisConfigurationFile
default: |
["/etc/init.d/redis_*", "/etc/redis/*"]
- name: RedisLogFiles
default: |
["/var/log/redis/redis*.log*", "/var/log/redis*.log*"]
sources:
- name: uploadMongoDBConfigurationFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=MongoDBConfigurationFile))
- name: uploadMongoDBLogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=MongoDBLogFiles)
- name: uploadMySQLConfigurationFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=MySQLConfigurationFiles))
- name: uploadMySQLLogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=MySQLLogFiles))
- name: uploadOpenSearchLogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=OpenSearchLogFiles))
- name: uploadPostgreSQLConfigurationFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=PostgreSQLConfigurationFiles))
- name: uploadPostgreSQLLogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=PostgreSQLLogFiles))
- name: uploadRedisConfigFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=RedisConfigFile))
- name: uploadRedisConfigurationFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=RedisConfigurationFile))
- name: uploadRedisLogFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=RedisLogFiles))