Collect network config files and upload them. Based on TriageNetwork from forensicartifacts.com
name: Linux.Collection.NetworkConfig
author: alternate
description: |
Collect network config files and upload them.
Based on TriageNetwork from forensicartifacts.com
reference:
- https://github.com/ForensicArtifacts/artifacts/blob/main/data/triage.yaml
precondition: SELECT OS FROM info() WHERE OS = 'linux'
parameters:
- name: DNSResolvConfFile
default: /etc/resolv.conf
- name: HostAccessPolicyConfiguration
default: |
["/etc/hosts.allow","/etc/hosts.deny"]
- name: LinuxHostnameFile
default: /etc/hostname
- name: LinuxIgnoreICMPBroadcasts
default: /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
- name: LinuxNetworkIpForwardingState
default: |
["/proc/sys/net/ipv*/conf/*/forwarding","/proc/sys/net/ipv4/conf/*/mc_forwarding",
"/proc/sys/net/ipv4/ip_forward"]
- name: LinuxNetworkPathFilteringSettings
default: |
["/proc/sys/net/ipv*/conf/*/accept_source_route","/proc/sys/net/ipv4/conf/*/rp_filter",
"/proc/sys/net/ipv4/conf/*/log_martians"]
- name: LinuxNetworkRedirectState
default: |
["/proc/sys/net/ipv*/conf/*/accept_redirects","/proc/sys/net/ipv4/conf/*/secure_redirects",
"/proc/sys/net/ipv4/conf/*/send_redirects"]
- name: LinuxProcArp
default: /proc/net/arp
- name: LinuxSyncookieState
default: /proc/sys/net/ipv4/tcp_syncookies
- name: UFWConfigFiles
default: |
["/etc/default/ufw","/etc/ufw/sysctl.conf","/etc/ufw/*.rules","/etc/ufw/applications.d/*"]
- name: IPTablesConfigFiles
default: |
["/etc/sysconfig/iptables*","/etc/sysconfig/ip6tables*"]
- name: UnixHostsFile
default: /etc/hosts
sources:
- name: uploadDNSResolvConfFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=DNSResolvConfFile)
- name: uploadHostAccessPolicyConfiguration
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=HostAccessPolicyConfiguration))
- name: uploadLinuxHostnameFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxHostnameFile)
- name: uploadLinuxIgnoreICMPBroadcasts
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxIgnoreICMPBroadcasts)
- name: uploadLinuxNetworkIpForwardingState
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxNetworkIpForwardingState))
- name: uploadLinuxNetworkPathFilteringSettings
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxNetworkPathFilteringSettings))
- name: uploadLinuxNetworkRedirectState
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxNetworkRedirectState))
- name: uploadLinuxProcArp
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxProcArp)
- name: uploadLinuxSyncookieState
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=LinuxSyncookieState)
- name: uploadUFWConfigFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=UFWConfigFiles))
- name: uploadIPTablesConfigFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=IPTablesConfigFiles))
- name: uploadUnixHostsFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM stat(filename=UnixHostsFile)